CD
Cloudflare Developers5mo ago
Louis

Is there something like Cf-Access-Authenticated-User-Email for Gateway?

Im building an app which is only accessable via Gateway. Now the question in the title so i dont have to implement some 2nd level login system
11 Replies
DaniFoldi
DaniFoldi5mo ago
You can get the user identity from the endpoint described here: https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/application-token/ In any case, it's highly recommended that you validate the JWT received, so in the same location you can fetch the user details
Application token · Cloudflare Zero Trust docs
Cloudflare Access includes the application token with all authenticated requests to your origin. A typical JWT looks like this:
Louis
Louis5mo ago
thank you @PurpleBlob quick question. I installed Cloudflare One Agent on my android phone but when i go to help.teams.cloudflare.com it says im not connected. same on /cdn/cgi/trace when i connect to warp on my macbook both pages work
DaniFoldi
DaniFoldi5mo ago
Hmm, I'm not sure I can help too much with that as I've never used it on Android myself, and I've never heard a similar issue from anyone on our team, sorry
Louis
Louis5mo ago
i got it when i tried cloudflare.com/cdn-cgi/trace it didnt work but after i changed cloudflare.com to one of my domians it worked weird Where do i find the CF_Authorization JWT?
semaja2
semaja25mo ago
That JWT only exists for "Access" to my understanding? and will not be applied if you use a bypass rule From the doco its self "Cloudflare Access includes the application token with all authenticated requests to your origin" You mentioned you are using Gateway, can you confirm how you have published the app? (eg. you can do the tunnel, but then you would create in the access section, unless you are just routing directly via gateway)
Louis
Louis5mo ago
@semaja2 its deployed via Workers and then i set a domain and added the domain to the application in cloudflare zero trust access i checked the jwt which i get in the service auth but it doesnt contain any information about the identity of the user. is there a other way to get the user info of the gatway user? tbh. i just need the email. And i cant use an Allow rule instead of the service auth because its an rest api which is portected with it
semaja2
semaja25mo ago
Out of interest have you checked for the "cf-access-user" header? curious if it makes it to the worker, but that will just be the users email address looks like there may also be the “Cf-Access-Authenticated-User-Email”: header
Louis
Louis5mo ago
no but when i dont use service auth i would get it
semaja2
semaja25mo ago
Ah i understand what you have going on, I have similar issues with REST APIs, so use the WARP/Gateway to restrict access without the auth prompts Sounds like this may need to be a feature request, I really wish Gateway/Access were more integrated, would be useful for gateway to permit "allow" rules but detect WARP/Gateway and inherit the user details without prompting for auth, would also avoid doubling up on the rules between Gateway/Access to control who can access it
Louis
Louis5mo ago
exactly
semaja2
semaja25mo ago
Was just adding a new application and saw this pop up....
No description
Want results from more Discord servers?
Add your server
More Posts
can you port forward ssh / rdp port via cloudflare tunnels^^This question for help, after adding aThis question for help, after adding a few lines of business code, the release deploy failedCant delete Access Groups and Service TokensHello, I created a servicetoken for testing and deleted the application where i used it. Now i wantNeed help with enabling api security for the backend runing on gcp app engine.The catch is that I have a shopify app, running on www.myapp.com this is secured by cloudflare provBest setup for webhook -> websocket?What is the best way to take a web request and in turn send it to all open websocket connections? I whats the limits of zones on each plan, free, pro, business and enterprise?I was checking some forum discussions and I have found some conflict due its time gap and changes. yes if not that, I could't access toyes if not that, I could't access to subdomain.domain.comSubdomain Number LimitHi, could anyone please kindly let me know if there's any subdomain number limit for free/paid plan?Page rule for forwarding URLHey, i want forward domain with first and rest params like `https://sub.domain.com/magic/dir/manifeCloudflare pages - 500 errors on accessing new deploymentsOur new deployments are building but then throwing javascript errors when we try to access the deplo