Consider this sequence:
Browser -> Cloudflare Access: somesite.com (request) Cloudflare Access -> Cloudflare Worker: Allow Cloudflare Worker -> Cloudflare Access: origin.somesite.com (subrequest using Access Token) Cloudflare Access -> Origin: Allow
origin.somesite.com are both protected with SSO in Cloudflare Access, because we want both the site, and the origin to be protected.
Let’s also say the subrequest has to use an access token (I’m still not 100% sure why, but that seems to be required - that is, we can’t just pass along the authorization we get from the request).
The problem here is that the subrequest will get a response which includes
CF_Authorization cookie data in the
Set-Cookie header. That will be from the subrequest’s authorization based on the Access Token, and not from the original request’s. If we pass that back to the browser client we’ll overwrite the
CF_Authorization cookie, and thereby break the session.
I just wanted to share this challenge when trying to use these features in this way. Maybe someone can point out what might be wrong about the design. Or it may just help someone who is trying to do something similar. it seems pretty reasonable to want to use subrequests against Cloudflare Access in this way.