CloudflareAccess to offer .well-known/openid-configuration endpoint

We are aware that CloudflareAccess is not an IDP is more an IDP proxy digesting the ID token returned by an IDP configured in an access policy. This is achieved by configuring the callback URL such as https://mycompany.cloudflareaccess.com/cdn-cgi/access/callback in the respective application specific IDP configuration

The resulting CloudflareAccess JWT being sent to the downstream origin server is often validated on the origin server itself or some gateway upfront of the origin server.

To validate the CloudflareAccess JWT it is required to read the key material from this CloudflareAccess endpoint :

https://mycompany.cloudflareaccess.com/cdn-cgi/access/certs

In some OIDC clients it is possible to configure the above URL using the jwks_uri but more common is that OIDC clients offer a configuration option allowing to specify the IDP’s well-known oidc configuration endpoint. For Azure AAD this would be e.g.

https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration

when for Okta it is

https://host.mycompany.com/oauth2/{authorizationServerId}/.well-known/openid-configuration

When configured standard compliant OIDC clients navigate through this structure and find e.g. the jwks_uri need to verify a incoming JWT

To be standard compliant we want now CloudflareAccess too offer a .well-known/openid-configuration endpoint which has then ./cdn-cgi/access/certs embedded. We conclude this should be feasible with reasonable effort.