Cloudflare Access and Worker Subrequests

Consider this sequence:

Browser -> Cloudflare Access: somesite.com  (request)
Cloudflare Access -> Cloudflare Worker:  Allow
Cloudflare Worker -> Cloudflare Access:  origin.somesite.com  (subrequest using Access Token)
Cloudflare Access -> Origin:  Allow

Let’s say somesite.com, and origin.somesite.com are both protected with SSO in Cloudflare Access, because we want both the site, and the origin to be protected.

Let’s also say the subrequest has to use an access token (I’m still not 100% sure why, but that seems to be required - that is, we can’t just pass along the authorization we get from the request).

The problem here is that the subrequest will get a response which includes CF_Authorization cookie data in the Set-Cookie header. That will be from the subrequest’s authorization based on the Access Token, and not from the original request’s. If we pass that back to the browser client we’ll overwrite the CF_Authorization cookie, and thereby break the session.

My option seems to be to remove that cookie from the response, which is doable but convoluted, as removing specific cookies in javascript while keeping others is not generally done. What would be great is to just not have to do this, and tell Cloudflare Access to not send along the header for Access Token requests, as you generally don’t need it since they are make programmatically.

I just wanted to share this challenge when trying to use these features in this way. Maybe someone can point out what might be wrong about the design. Or it may just help someone who is trying to do something similar. it seems pretty reasonable to want to use subrequests against Cloudflare Access in this way.