Cloudflare Access suddenly gives "Authentication Error"

For a week I’ve had Cloudflare Access working fine with a generic OIDC provider configured to Auth0. However today Cloudflare Access commences the authentication flow by redirecting to Auth0, but following successful authentication the redirect causes Cloudflare to render a page:

Authentication Error
Failed to fetch user/group information from the identity provider
Apologies, Please contact your Access administrator

Despite this the Auth0 admin UI logs report “Success Exchange” and “Success Login” events.

I have tried the obvious things (using a different browser, clearing all history and cookies, rotating the OAuth Client Secret, creating a new application in Auth0 then a new OIDC provider in Cloudflare) but none of them worked. A review of https://cloudflarestatus.com shows no outages, although something similar happened on 16 October.

Any suggestions what to try or how to troubleshoot this?

Hi b_a,

Have you tried the “test” connection button in the Authentication menu of the Teams Dashboard for Access? That can sometimes give a more descriptive error for what’s going on.

Yes: it redirects you through to Auth0 for 2FA verification, which is then verified, and then upon redirect to Cloudflare it shows:

Screenshot_2020-10-31 Error ・ Cloudflare Access

Meanwhile on the Auth0 side the logs show everything worked fine:

In addition to the list of other things I tried, I also revoked the user session.

The problem remains today, so it has been offline for at least 24 hours. I logged a ticket yesterday (2012438) but there has been no response.

I never resolved this problem, but I did work around it by using SAML with Auth0.

For those in a similar situation and using Auth0 as their authentication provider:

  • In the Auth0 dashboard: go into Applications > the application name > show advanced settings > endpoints > download the “SAML Metadata URL” file and save to disk
  • In the Cloudflare dashboard: select domain > Access > Login methods add > drop or select IDP metadata file (select the file saved to disk in the prior step) > give it a name (eg Auth0) > sign SAML authentication request on > email attribute name “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” > save and test

I’m unsure why OIDC isn’t working but given SAML does I’ll move on. :slight_smile:

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Ok, we’ll take a look into this. Thank you for logging a ticket, I’ll pick up the conversation there.