Working with Cloudflare Access. I have a a single page application (SPA) protected on a subdomain by CF Access. This is working well. I am running into some issue when trying to have the outbound XHR / Ajax requests going to a CF Access protected API endpoint.
I have tried to add the
Cf-Access-Jwt-Assertion header to all outbound requests, with the contents of CF_Authorization, however, it is still 302 redirecting to the Access login page.
I can try to open up security settings to include
Access-Control-Allow-Credentials, and forward along the CF_Authorization cookie, but I am hesitant to do this.
I was successful using service tokens - but this is not ideal as it’s not using the users auth, and the tokens can be taken out of the app easily.
Any advice is appreciated.
Update: Looks like
Cf-Access-Jwt-Assertion is not used at all. moving on to try working with
Access-Control-Allow-Credentials on the CF CORS and
withCredentials on my XHR request to allow the Cookie to be sent with the request.
I have confirmed that I can get access when the JWT is included as the cookie
CF_Authorization through Postman. Back to Chrome…
When I check off “Access-Control-Allow-Credentials” in CF CORS settings, it automatically disables and sets the “Access-Control-Allow-Origin” to be a wildcard “*”… which is not supported - why do you do this Cloudflare? The following error message is throwing in Chrome.
Access to XMLHttpRequest at 'https://protected.domain.com/' from origin 'https://otherdomain.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I go back, and turn off the “Access-Control-Allow-Credentials” and make sure my domain is in “Access-Control-Allow-Origin”, save, and try the request again…
Access to XMLHttpRequest at 'https://protected.domain.com' from origin 'https://otherdomain.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
Cf-Access-Jwt-Assertion header does not work. Is there any way to this? Is this an oversight on Cloudflare’s part or is there some technique here that I’m missing?