I feel like I'm going mental. JWTs are not allowing access despite me following every doc

So I am running a dockerised application with cloudflared + tunnel + access to host this appliction to https://myapp.mywebsite.com

I got everything up and running and it worked - I could access this page fine.

I've then been trying to use Zero Trust with service tokens to access programatically. I've followed the docs here: https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/

I send my first request

curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com

curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com

curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com

curl -H "CF-Access-Client-Id: <CLIENT_ID>" -H "CF-Access-Client-Secret: <CLIENT_SECRET>" https://app.example.com and access the page fine so I know it is working.

However, I then try and send subsequent requests and am constantly encountering 401 not authorised errors.

I have tried the following:

curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cookie: CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl -H "cf-access-token=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl --cookie "CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl --cookie "CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl --cookie "CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

curl --cookie "CF_Authorization=<CF_AUTHORIZATION_COOKIE>" https://myapp.mywebsite.com

I have tried from the command line using the above, from Postman with different variations of JWT auth (including the above and more) and setting the cookie in the browser and visiting the page. I've tried with

<CF_AUTHORIZATION_COOKIE>

<CF_AUTHORIZATION_COOKIE>

<CF_AUTHORIZATION_COOKIE>

<CF_AUTHORIZATION_COOKIE> being just the JWT string or mimicking the exact contents of the

set-cookie

set-cookie

set-cookie

set-cookie response.

Every single try is met with a 401 unauthorized.

I've checked my JWT on jwt.io and all fields are expected.

I've regularly been checking access using the

CLIENT_ID

CLIENT_ID

CLIENT_ID

CLIENT_ID and

CLIENT_SECRET

CLIENT_SECRET

CLIENT_SECRET

CLIENT_SECRET and it always works.

In my Zero Trust -> Access -> Applications -> Policies I have the following set up:

Service token. Action = SERVICE AUTH
JWT. Action = ALLOW. Include Selectors "Service Token" with value
```
my-only-service-token
```
my-only-service-token
```
my-only-service-token
```
my-only-service-token
and "Any Access Service Token" with value "Any non expired Service Token will be matched".

What on earth is going on here? I've been trying this for hours and I'm tearing my hair out. It shouldn't be this difficult.

Mmutatedllama So I am running a dockerised application with cloudflared + tunnel + access to h...

Chaika•10/6/24, 8:36 PM

That's an interesting one, I can reproduce that if I only have an Allow policy and not a service auth one as well. I'd try changing the Allow one to being the same specificness also allowing all tokens, saving policy, saving application, give it a min to propogate and then try. Doing Service Auth Policy then Allow works fine for me both with the headers and using the cookie.

Could also just go Service Auth and pass the headers each time

CChaika That's an interesting one, I can reproduce that if I only have an Allow policy a...

mutatedllamaOP•10/7/24, 8:48 AM

Thanks for your resposne. That's strange. If I have just the Allow then the initial request for the JWT doesn't work. It doesn't return the usual page contents (only a 301 Found) and doesn't provide a

set-cookie

set-cookie

response.

I am going to recreate these and try again. attached are some pics that show my new setup. Does this look how you would expect?

Mmutatedllama Thanks for your resposne. That's strange. If I have just the Allow then the init...

Chaika•10/7/24, 3:35 PM

I just allowed all service tokens rather then a specific but other then that, that looks sane yea

I feel like I'm going mental. JWTs are not allowing access despite me following every doc

Similar Threads

Similar Threads

Similar Threads