How are Access Service Token JWTs supposed to be used?

In the Zero Trust dashboard, each request using a Service Token shows up as a "Login". I assumed this was because perhaps I was using them wrong, so I tried just using the cookie (from an initial request) for subsequent requests and omitting the

cf-access-client-id

cf-access-client-id

and

cf-access-client-secret

cf-access-client-secret

headers... but this returns a 401/403 (I don't recall, because this was a week ago). I tried extracting the JWT from the cookie and using it in place of the

cf-access-client-secret

cf-access-client-secret

header, and a bunch of other things I thought might be the "correct way", but nothing worked. The documentation is pretty light on this topic, so I was wondering if I'm missing something. Its obviously not the end of the world having each request showing up as a login... although I'd rather it didn't. But I'm just so confused because the docs (https://developers.cloudflare.com/cloudflare-one/identity/service-tokens/#connect-your-service-to-access) literally say: "If the service token is valid, Access generates a JWT scoped to the application. All subsequent requests with that JWT will succeed until the expiration of that JWT." But what does that even mean if there's no way of using the JWT for subsequent requests? I've scoured the web for answers, and found several posts/questions from people with the exact same question... and they never have any answer below them

Cloudflare Docs

Service tokens · Cloudflare Zero Trust docs

You can provide automated systems with service tokens to authenticate against your Zero Trust policies. Cloudflare Access will generate service tokens …

Tony Leung•4/1/24, 4:59 AM

the JWT token is sent to you via CF_Authorization cookie, so any browser can automatically store that token and seamlessly use this feature. But in server we don't have a cookie jar to automatically store the cookie, so you will have to manually extract and store it

Tony Leung•4/1/24, 5:04 AM

assume that you have domain

example.com

example.com

protected by zerotrust, my approach is:

Make a GET request to

example.com

example.com

with

CF-Access-Client-Id

CF-Access-Client-Id

and

CF-Access-Client-Secret

CF-Access-Client-Secret

Extract cookies via

Set-Cookie

Set-Cookie

header responded by CF Access and get the

CF_Authorization

CF_Authorization

cookie. It will look like this:

CF_Authorization={some token}; Expires=Wed, 01 May 2024 10:00:33 GMT; Path=/; Secure; HttpOnly; SameSite=none

CF_Authorization={some token}; Expires=Wed, 01 May 2024 10:00:33 GMT; Path=/; Secure; HttpOnly; SameSite=none

(result maybe different according to setting in Zero Trust Application)

Store that cookie somewhere else, in my case I store it in CF KV. Everytime I request any resource in
```
example.com
```
```
example.com
```
, I append the cookie value acquired like above to the
```
Cookies
```
```
Cookies
```
header, even when you are sending request from server.

Tony Leung•4/1/24, 5:06 AM

in the document it said that

CF_Authorization

CF_Authorization

header can work too, but for some reason it does not work as expected, so I use the cookie header approach, which simulate cookie sending like a browser

Jacob MarshallOP•4/1/24, 5:11 AM

Thats the thing... I implemented a cookie-jar, which is sending the cookie back to the endpoint... but it fails (401/403)

Tony Leung•4/1/24, 5:12 AM

what's the error message?

Jacob MarshallOP•4/1/24, 5:13 AM

I'll have to grab that code again and get back to you. This was a week ago, and reached out on Twitter about it, and nobody responded

Jacob MarshallOP•4/1/24, 5:14 AM

I'm wondering if there's maybe some other config on the access app to make this work.

JJacob Marshall I'll have to grab that code again and get back to you. This was a week ago, and ...

Tony Leung•4/1/24, 5:15 AM

unless you are a big enterprise or you are on your own XD. At least CF are kind enough to have this discord server and response to our request on their help forum

Tony Leung•4/1/24, 5:16 AM

we dont have such luxury when we use AWS

Tony Leung•4/1/24, 5:19 AM

you have to add a policy whose action set to Service Auth

Screenshot_2024-04-01_at_12.19.12_PM.png

Jacob MarshallOP•4/1/24, 5:20 AM

Yeah I have that setup. Ran into that issue a while back when first using Service Tokens haha

Tony Leung•4/1/24, 5:20 AM

then under the

Assign a group

Assign a group

section, you have to choose a group which has your access token

Jacob MarshallOP•4/1/24, 5:22 AM

I'm just gonna try replicate on my personal Cloudflare account now

Tony Leung•4/1/24, 5:24 AM

You will need an access group which reference a service token like this:

Jacob MarshallOP•4/1/24, 5:25 AM

It has to be an access group? I can't just add it under "Create additional rules"?

Tony Leung•4/1/24, 5:26 AM

then attach that group to a policy like this

Screenshot_2024-04-01_at_12.25.55_PM.png

JJacob Marshall It *has* to be an access group? I can't just add it under "Create additional rul...

Tony Leung•4/1/24, 5:27 AM

I haven't tried that approach tho

Jacob MarshallOP•4/1/24, 5:27 AM

OK so I've replicated it now. 1 second while I take some screenshots

Tony Leung•4/1/24, 5:28 AM

if you've added that token to an existing policy and it does not work then I'm afraid that you will need to create a separate

Service Auth

Service Auth

policy

Jacob MarshallOP•4/1/24, 5:28 AM

Hmmm

Tony Leung•4/1/24, 5:30 AM

btw a group above means that your Access Entity needs to have a feature defined in a group, like an email belongs to

@company.com

@company.com

group

Tony Leung•4/1/24, 5:30 AM

an service token does not represent anyone who belong to a group so it will fail

Tony Leung•4/1/24, 5:30 AM

that's my assumption

Tony Leung•4/1/24, 5:32 AM

btw they have a separated action named

Service Auth

Service Auth

so it must have a purpose

Jacob MarshallOP•4/1/24, 5:32 AM

Yeah, I would have assumed the "Service Auth" action made everything for a service token work.

Jacob MarshallOP•4/1/24, 5:33 AM

Thats why I'm suspecting something isn't quite right here.

Jacob MarshallOP•4/1/24, 5:33 AM

The docs literally don't say any of this extra stuff. And I can gain access to the app when using the 2 clearly defined cf-access-* headers.

Jacob MarshallOP•4/1/24, 5:33 AM

But just not when using the JWT in a cookie.

Tony Leung•4/1/24, 5:34 AM

https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/

Cloudflare Docs

Validate JWTs · Cloudflare Zero Trust docs

When Cloudflare sends a request to your origin, the request will include an application token as a Cf-Access-Jwt-Assertion request header and as a …

Jacob MarshallOP•4/1/24, 5:34 AM

Yeah thats different though.

Jacob MarshallOP•4/1/24, 5:34 AM

Thats on the origin-side of things.

Tony Leung•4/1/24, 5:34 AM

this document said I can have that in

Cf-Access-Jwt-Assertion

Cf-Access-Jwt-Assertion

but it didn't work XD

Jacob MarshallOP•4/1/24, 5:34 AM

That header is injected by Cloudflare AFAIK.

TTony Leung if you've added that token to an existing policy and it does not work then I'm a...

Tony Leung•4/1/24, 5:36 AM

well I guess that's how to config an access policy to accept

Service Token

Service Token

. I was digging documents and retry for a few hours a few months ago to make it work XD

Jacob MarshallOP•4/1/24, 5:39 AM

Here I make a request with the service token's client ID and secret. And I get through...

Jacob MarshallOP•4/1/24, 5:40 AM

Then I take the cookie from the response (I made the actual request with

-v

-v

so cURL would show the response headers, but I've hidden that in the first screenshot), and send it to the same endpoint, and it returns a 403 (Forbidden).

Jacob MarshallOP•4/1/24, 5:45 AM

This is what the HTML contains... so essentually the same as if I open the page up in the browser.

Jacob MarshallOP•4/1/24, 5:52 AM

I tried using an access group, but that doesn't make any difference.

JJacob Marshall I tried using an access group, but that doesn't make any difference.

Tony Leung•4/1/24, 2:14 PM

had you created a separated policy just for Service Auth?

mutatedllama•10/6/24, 4:15 PM

@Jacob Marshall, did you ever get this working? I am running into the same issue and it is infuriating that I've followed the docs exactly as they say and I'm just getting back a non-descript "forbidden" 401/403 response like you

Jacob MarshallOP•10/7/24, 9:01 AM

@mutatedllama So… short answer - no. Long answer is that I believe there might be a workaround. I reached out to somebody via Twitter DMs and they said that there was a bug in zero trust that was preventing this from working as intended. I’ll see if I can find more details. It was a while ago now haha.

Jacob MarshallOP•10/7/24, 9:02 AM

Ok this turned out to be a very silly edge case on our side. If you add an allow policy to that app, it'll work just fine including the Access JWT. Otherwise it blocks without the service token attached.

We're trying to figure out how to change this without a breaking change. But if you add an empty Allow policy for now, it'll work as you expect.

Jacob MarshallOP•10/7/24, 9:04 AM

That’s a direct quote from https://x.com/kennyjohnsonatx. However I will say… I did try the workaround and it didn’t work. So… your mileage may vary.

JJacob Marshall > Ok this turned out to be a very silly edge case on our side. If you add an all...

mutatedllama•10/7/24, 5:36 PM

Wow, thanks for this! That is crazy. I'll give that a try and see how it goes!

How are Access Service Token JWTs supposed to be used?

Similar Threads

Similar Threads

Similar Threads