Cloudflared config yml access section, support for more than aud

Hi There,

When using CloudflareD as a daemon on an origin server, configured with config.yml and tunnels described with json token files.

With respect to the “access” section of the config.yml, described here:

  required: true
  teamName: <your-team-name>
    - aud1 <Access-application-audience-tag>
    - aud2 <Optional-additional-tags>

I’d like to know if there are more options available than just these?

Is an “aud3” supported?

Can I restrict access to regex/ wildcard expression applied to the email property of the jwt token?

These are all the fields present in the jwt cookie payload:

  "aud": [
  "email": "[email protected]",
  "exp": 1659474457,
  "iat": 1659474397,
  "nbf": 1659474397,
  "iss": "",
  "type": "app",
  "identity_nonce": "6ei69kawdKzMIAPF",
  "sub": "7335d417-61da-459d-899c-0a01c76a2f94",
  "country": "US"

Can the access section of the config.yml be used to restrict on other fields? ie. email above, but also country, and more than two possible aud’s?

Preferably with some kind of regex/ flexible wildcard and/or list expression.

The application for this is when tunneling the raw TCP protocols like RDP and SSH, where it’s not possible to implement further restrictions in the application on the origin server.

It is possible to implement finer grained controls on the Zero Trust web dashboard itself, but I would like to do it this way if possible.