Cloudflare Access not authorizing XHR request with Cf-Access-Jwt-Assertion header

Hi all,

Working with Cloudflare Access. I have a a single page application (SPA) protected on a subdomain by CF Access. This is working well. I am running into some issue when trying to have the outbound XHR / Ajax requests going to a CF Access protected API endpoint.

I have tried to add the Cf-Access-Jwt-Assertion header to all outbound requests, with the contents of CF_Authorization, however, it is still 302 redirecting to the Access login page.

I can try to open up security settings to include XHR.withCredentials and Access-Control-Allow-Credentials, and forward along the CF_Authorization cookie, but I am hesitant to do this.

I was successful using service tokens - but this is not ideal as it’s not using the users auth, and the tokens can be taken out of the app easily.

Any advice is appreciated.

Update: Looks like Cf-Access-Jwt-Assertion is not used at all. moving on to try working with Access-Control-Allow-Credentials on the CF CORS and withCredentials on my XHR request to allow the Cookie to be sent with the request.

I have confirmed that I can get access when the JWT is included as the cookie CF_Authorization through Postman. Back to Chrome…

When I check off “Access-Control-Allow-Credentials” in CF CORS settings, it automatically disables and sets the “Access-Control-Allow-Origin” to be a wildcard “*”… which is not supported - why do you do this Cloudflare? The following error message is throwing in Chrome.

Access to XMLHttpRequest at 'https://protected.domain.com/' from origin 'https://otherdomain.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

I go back, and turn off the “Access-Control-Allow-Credentials” and make sure my domain is in “Access-Control-Allow-Origin”, save, and try the request again…

Access to XMLHttpRequest at 'https://protected.domain.com' from origin 'https://otherdomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Feeling stuck!