What is the name of the domain?
abc-software.solutions
What is the error number?
302 Found
What is the error message?
That account does not have access.
What is the issue you’re encountering
I configured a tunnel to an application in a kubernetes cluster and the users are authenticated using their AzureAD login. But with a cleared cache and cookies the access to the tunnel is not possible, I get a “That account does not have access” message. When I manually login to portal.azure.com, it works. When using an incognito window it also works because then the whole login procedure is executed. But in the normal window I’m already logged in automatically (my PC-Account is synchronized with Azure) and the “Test” in the IDP-Configuration is also successful and provides the groups-information incl. the group which would authorize me to access the tunnel. What could be the reason for this behavior and how can it be solved?
What steps have you taken to resolve the issue?
Remove browser cookies and cache
Configure Cloudflare Azure OIDC provider settings
Reduce access application session duration
Screenshot of the error
We come across this a few times a year.
Logout of the iDP, clear cookies, and also try the secret linked for basically nowhere {yourdomain}.cloudflareaccess.com/cdn-cgi/access/logout - You would think this would be linked when you got the above, but no
Hey @matt147 thanks a lot for your response. So you mean this is not anything related to our tunnel implementation or the way we have configured our access application and policies ? and it is also not related to the way Azure AD OIDC Provider is configured in Cloudflare ? This is a known issue on the Cloudflare side ?
Is there anything that we can do to fix this issue ? or simply keep relying on the workarounds that you mentioned above ? i.e Logout of the iDP, clear cookies, and use the {yourdomain}.cloudflareaccess.com/cdn-cgi/access/logout link
I cant say for sure in your case, but there are dozens of known issues and core product hasn’t been touched for years, the break out of the control panel was the last major advance, I check now and again and still has same problems of 2022.
Here’s an example, we revoke a user session and after a few seconds and a refresh client gets
Current authentication token is expired.
Try again later. If the problem persists, contact the administrator.
Which is fine, but not a single link what to do next.
Not as annoying as “that account does not have access” which requires three sets of nukes (cdn-cgi logout, clear cookies from idp, access protected domain and the cloudflareaccess one), but whole thing is very immature compared to Cognito.
I do wonder if the original devs, I think it was Sam have moved on,
It’s a real shame because its like they forgot to do QA on the core identity proxy product and left it at 90% and started messing around on all the Warp integration stuff that I guess many dont desire.
Unfortunately no I dont so, no fixes that you can do, we have the workarounds as part of a slack bot when people complain, [the core identity proxy] is just a buggy unmaintained product I think. My recent experiment lead me to try out some new features after accepting defeat on the above and even those are half baked (e.g. SCIM integration, toggles exist for Google Workspace but it isn;'t compatible)
Thanks a lot for these remarks. These help us a lot and show that we didn’t do anything wrong and we should simply ignore the flaws or choose a different product 
Have a great day!
