Cloudflare Access - CLI Auth Beta


#1

Hi everyone! We are launching a new beta feature for Cloudflare Access today. Using the Cloudflare command line tool, cloudflared, you will be able to reach an API that is protected by Access.

The feature relies on the same command line tool used to configure Argo Tunnel. Instructions on how to download use can be found here:

We’re excited to listen to your feedback as we improve the tool! Please let us know what you think, good and bad.

  • Sam

#2

Right now, the longest session duration that can be used for Access is one month. Do you have any plans to increase this? It would be nice if we didn’t have to rotate tokens every month.

Alternatively, could we have a CloudFlare UI for generating static tokens which expire much later, for long-term configuration?

Great feature nonetheless! Thanks for your work!


#3

Hi Algirdas, thanks for trying it out. We’re working on supporting those types of service-to-service connections. This initial release is meant for an individual user interacting with an API manually. The service connections are coming soon though.


#4

Just a heads up - we’ll be rolling back this feature in cloudflared while we address some feedback. We expect the capability to be added back on Monday.


#5

I followed the instructions here, but was able to login only by using cloudflared access login https://example.com, not using the cloudflared access token https://example.com as it says here:

Plus I was already logged in and it had issues seeing the token, I had to delete the cookies.


#6

Hi Matteo - thanks for the feedback!

That’s correct - the token command only retrieves the token once you have logged in, it does not initiate the login process.

And good point on the issue being logged in. We list that as a known limitation in the docs today and are working to address it.

Sam


#7

In the docs, maybe I misread them, but it seems like they ask you to begin by doing that. The error it gives is also not helpful.

Didn’t see that!


#8

Thanks for that feedback; we’ll improve the error messaging.


#9

Nice work!

Might TLS client auth be incorporated?


#10

We’re busy planning how to extend Access in more directions, mTLS included. Stay tuned!