I was wondering about the use-case of setting the One-time PIN as a Login Method in an allow list.
A bit of information:
I have created an allow list in the Access group allowing emails ending in a specific @domain.
In my Applications, I have enabled the One-time PIN as an Identity Provider .
My allowlist looks like this:
Include:
Selector → Emails ending in → @domain.com
From the documentation “Instructions for setup” when setting up the OTP, it says:
“To grant a user access to an application, simply add their email address to an Access policy.”
And this works, perfectly. I see the OTP when I try to go to my domain, and I only receive the pin when I enter a correct email-address ending with my specific @domain.
But,
Looking at my allow list in the Access Groups, I can add another Include:
And now, my One-time PIN allows ALL email-addresses. Not just those from the specific @domain.com . I understand that 2 Includes functions as an ‘OR’ and not an ‘AND’ . And the ‘Requires’ can be used for the ‘AND’ part.
But, what I don’t understand. Why would someone want to add the OTP in their allowlist? If works perfectly using the allowlist without setting it as a Login method. And if someone wants to use it for the specific domain by using a ‘Requires’. It would have the same result as not setting the OTP right?
As per the Docs (https://developers.cloudflare.com/cloudflare-one/policies/access/)
The Include rule is similar to an OR logical operator. In case more than one Include rule is specified, users need to meet only one of the criteria.
The Require rule works like an AND logical operator. A user must meet all specified Require rules to be allowed access.
You can add a lot more login methods than just One-time pin. Google, Azure, Github, and any provider which works with OpenID or SAML.
You might want to let @yourcompany.com emails sign in but only via Google, and then let subcontractors sign in only via Email pin. Doing that via two policies, requiring email match & login method.
It works fine without setting it because your only rule is “include these emails” so login type can be whatever. If someone sets it to one time pin, then you can’t use Google or any other login method you added.
I guess most of your question is rooted in the confusion that you only have one-time pin set up right now, but you can add more identity providers/login methods?