Access Multi-Domain Applications

I’m excited to announce support for Multi-Domain Applications in Cloudflare Access.

With Multi-Domain Applications, you may now define an Access Application with multiple domains, subdomains and paths.

What problem does this address

  1. Single Page App / Multi-Domain Session Management - Many Applications have multiple domains - at least one for the front-end user experience and the other for receiving API requests (e.g., app.example.com and api.example.com). This created a problem because the front-end service could no longer communicate with the API as they did not share a session, leading to Access blocking the requests. Previously, different custom approaches were required to issue or share the Access JWT between different hostnames.
    Multi-Domain Applications allow teams to protect multiple subdomains with a single Access app, simplifying the process and reducing the need for multiple apps. Access also takes care of JWT cookie issuance across all hostnames associated with a given application (for up to 5 domains). This means that a front-end and API service on two different domains can communicate securely without any additional configuration.

  2. Unified Policy Management - Previously, admins had to configure an Access Application per unique domain, even if the policies were identical. This often led to inconsistencies between different applications even though they should have an identical policy.

Getting Started

This is available across all Access and Zero Trust plans. Follow this guide to get started: Authorization cookie · Cloudflare Zero Trust docs

Please let us know if you have questions/comments/feedback :slightly_smiling_face:
-The Cloudflare Access Team

1 Like

That’s a great change, but how to configure it though?
I have an application consisting of frontend running on uat.example.com and backend running on api.uat.example.com, but when I set up both urls inside one application in Zero Trust, it still blocks all the requests going to api.uat.example.com so the applicaiton is unusable.

1 Like

I cannot add more Subdomain in My Application. Action add subdomain not working, even the update is successfull. Is there way to add?

@Maciej have you been able to use Zero Trust Access in your configuration? We have same issue in our enviroment.

Not really. In my opinion this part doesn’t work:

Multi-Domain Applications allow teams to protect multiple subdomains with a single Access app, simplifying the process and reducing the need for multiple apps. Access also takes care of JWT cookie issuance across all hostnames associated with a given application (for up to 5 domains). This means that a front-end and API service on two different domains can communicate securely without any additional configuration.

I’ve contacted the Zero Trust support, but they weren’t able to tell me what’s the issue either.
For now we’re just going to force frontend to send CF-Authorization cookie to backend.

Hey @Maciej do you have the ticket # handy? I can take a look.

We should be setting the cookie across the api and frontend domains on initial user auth. If you are not seeing the cookie get set on the backend domain, we can definitely take a look.

Hey @kjohnson1, it was a chat conversation with #2844706 number.

1 Like

Ok, I reviewed that ticket, thank you. You’re right that a bypass is not the right approach (I’ve opened an internal thread to correct that guidance given in the future).

You should be able to accomplish this using the multi-domain application feature we launched. Example:

Once you’ve added multiple domains, at the time of user authenticate the same Access JWT/Cookie will be issued to each of those domain through a redirect loop. They will have the same AUD tag. Which should allow for seamless communication back to the API service from the front end.

If you’re still having issues after that, we can take a look in a support ticket and then add our findings back here if we figure out something conclusive for the rest of the folks watching here.

@kjohnson1 I’ve been trying to do it this way since the day I found the option to add more than one domain into one application and still the result is as follows:

@kjohnson1 attaching also the screenshot from my config:

XMLHttpRequest: withCredentials property - Web APIs | MDN (mozilla.org)

Do you have the withCredentials flag enabled to make sure the browser knows to send the JWT? That could be causing the issue.

you mean we need modify application to add withCredentials then multi-domain function will work?
is there any official document about that

1 Like

Any way to put more than 5 domains on a single application?

I have 6 servers with 6 tunnels so when I tried setting up an SSH application, I actually had to split them between two applications, meaning I had to use two different CA files for the short-lived certificates feature

I found a document implying that more than 5 domains is possible:

Hello,
I am configuring an Access App using API calls.
I have been able to create and update the “domain” of the app, but I do not find how to add sub-domains.

Documentation: https://developers.cloudflare.com/api/operations/zone-level-access-applications-add-a-bookmark-application do not mention how to do this…

I tried:

  --data '{
  "allowed_idps": [  ],
  "app_launcher_visible": false,
  "auto_redirect_to_identity": false,
  "domain": [ "example.com/sub1", "example.com/sub2" ],
  "enable_binding_cookie": false,
  "http_only_cookie_attribute": true,
  "name": "test multisub",
  "session_duration": "24h",
  "type": "self_hosted"
}'

but this is failing as domain is a string.

  --data '{
  "allowed_idps": [  ],
  "app_launcher_visible": false,
  "auto_redirect_to_identity": false,
  "domain":  "example.com/sub1",
  "enable_binding_cookie": false,
  "http_only_cookie_attribute": true,
  "name": "test multisub",
  "session_duration": "24h",
  "sub-domain": "example.com/sub2",
  "type": "self_hosted"
}'

This is not throwing error, but does not take the sub-domain into account…

Any ideas how to achieve this outside of the console ?

Ok I found how to do it…

Just need to list the sub-domains like this in data of PUT/POST:
"self_hosted_domains": [ "example.com/sub1", "example.com/sub2"],

Note that “domain” should be repeated in “self_hosted_domains” other wise there is an error.