What is the name of the domain?
example.com
What is the issue you’re encountering
Cloudflare’s bot fight mode challenges requests made by Tailscale’s OIDC login integration
What steps have you taken to resolve the issue?
Turning off bot fight mode for the entire domain does temporarily allow the request to succeed. The documentation says WAF skip rules can’t bypass bot fight mode.
What is the current SSL/TLS setting?
Full (strict)
What are the steps to reproduce the issue?
See OIDC login attempts trigger Cloudflare's bot fight mode · Issue #15557 · tailscale/tailscale · GitHub for the Tailscale counterpart. But in short: when logging into the Tailscale console for an account that uses OIDC where the SSO server is behind Cloudflare, then Cloudflare will challenge the request. Because the response isn’t what Tailscale expects, Tailscale responds with a 500 error. See that GitHub issue for a screenshot of the request that gets challenged.
I believe in the past Cloudflare did not challenge this request. I would speculate either the Cloudflare internal rules for how managed challenges are triggered got adjusted and therefore the request now gets challenged, or Tailscale changed something on their end (user agent, originating IP, etc.) which pushes the request into managed challenge territory.