Automatically authorize all Zero trust domains in an Application when one of them was authorized

Hi guys, currently my web and my R2 bucket domain are protected by the same zero trust Application and that web frontend is using assets stored in the R2 bucket. But when the Zero Trust credential timed out and users need to relogin, they always login into the web. When it calls R2 bucket domain, an error returned. Users have to manually go to the R2 bucket domain to authorize access, until then my web can get assets from R2 normally again. Is there any way to simplify this step?

Cyb3r-Jak3•3/4/24, 3:31 PM

Combine the public hostnames for the application and the custom r2 domain to use the same access application.

Cyb3r-Jak3•3/4/24, 3:35 PM

Access applications share the same auth so if you are signed into a hostname that is in it then it will work on other hostnames in the application.

Tony LeungOP•3/4/24, 3:59 PM

Thanks, I'm currently configuring my app and custom R2 domain to be in the same access application, but the inconvenience is, when I accessed into my application, all assets served via custom R2 domain cannot be access. I have to open another browser tab and manually go to the custom R2 domain to let CF verifies my access (which only a few second and a redirect because I've been authorized before), until then the assets on the my app can be fetched normally. It's kinda annoying to have more than 1 domain behind zero trust, since I have to manually go to each domain to verify the access.

Tony LeungOP•3/4/24, 4:02 PM

Eg:
I have web page on domain A, which has asset served by domain B (a custom R2 domain). When I go to domain A (after I finished Zero Trust authorization), all assets served by domain B is still forbiddenforbidden. I have to go to domain B on another tab to manually authorize access on domain B (which is just a redirect), until then, all assets on domain B could be see on domain A's web page.

Cyb3r-Jak3•3/4/24, 4:04 PM

If both domain A and domain B are under the same access application then I don’t believe that should happen

Tony LeungOP•3/4/24, 4:04 PM

mine is having that issue...

Tony LeungOP•3/4/24, 4:05 PM

did i misconfigured anything?

Tony LeungOP•3/4/24, 4:06 PM

It seems like CF_authorization cookies cannot be shared between domains

Tony LeungOP•3/4/24, 4:07 PM

the point is the access verification is OK, i only need to enter OTP once when I visit domain A

Cyb3r-Jak3•3/4/24, 4:27 PM

Oh like example1.com and example2.com?

Tony LeungOP•3/4/24, 4:35 PM

yeah... domain B is the sub domain of domain A

Tony LeungOP•3/4/24, 4:36 PM

if domain A is "example.com" then domain B is "video.example.com"

Cyb3r-Jak3•3/4/24, 4:55 PM

I think that should work. I’ll test it out later to see if I can get it to work.

Cyb3r-Jak3•3/4/24, 10:38 PM

Are you by chance getting CORS errors?

Cyb3r-Jak3•3/5/24, 12:01 AM

I have https://github.com/Cyb3r-Jak3/cf-example-cors-application which does work

Tony LeungOP•3/5/24, 3:40 AM

thank you, i will try it out

Tony LeungOP•3/5/24, 3:52 AM

I've tried on Chrome and Safari, it seems like it's safari problem. Safari has followed redirects and but finally returns a login page, which is the first page in the redirect chain

Cyb3r-Jak3•3/5/24, 3:54 AM

Oh I’m wondering if it’s Safari’s cross site cookie protection

Tony LeungOP•3/5/24, 3:54 AM

In front end it shows like this