Cloudflare access JWK URL filters on User agent header

Hey there,

We’ve been working on programmatically verifying cloudflare access JWTs using the guide here

However, when building our app and attempting to actually download the JWTs it seems that the https://<your access domain>/cdn-cgi/access/certs is giving 403’s depending on user-agent headers?

When making the request in Java as follows:

  final URLConnection c = this.url.openConnection();
  c.setRequestProperty("Accept", "application/json");
  if (connectTimeout != null) {
    c.setConnectTimeout(connectTimeout);
  }
  if (readTimeout != null) {
    c.setReadTimeout(readTimeout);
  }

We get a 403 response. However simply changing it to

  final URLConnection c = this.url.openConnection();
  c.setRequestProperty("Accept", "application/json");
  // Because they filter user agents...
  c.setRequestProperty("User-Agent", "not-java");
  if (connectTimeout != null) {
    c.setConnectTimeout(connectTimeout);
  }
  if (readTimeout != null) {
    c.setReadTimeout(readTimeout);
  }

Gives us a 200. What’s going on? Are there specific user agents we need to be using to ensure our requests don’t fail?