Curl Access with Service Token

I am running into some problems with an endpoint on a subdomain which is protected with a Service Token. I created an Access Policy for that particular URL which allows one particular Service Token.

I have a script to hit this URL with a Curl which eventually will be a cron job. I have tried both PHP and command line and so far no luck. Following the instruction here (https://developers.cloudflare.com/access/service-auth/service-token/), I added the two headers to the curl request

CF-Access-Client-Id:
CF-Access-Client-Secret:

The endpoint returns a simple JSON object.

The CURL looks like this and it fails silently (no command line output).

curl -H "CF-Access-Client-Secret: XXXXXX" -H "CF-Access-Client-Id: XXXXX.access" https://example.com/some-path

The PHP looks like this

$url = 'https://example.com/some-path';
$ch = curl_init();
$cookie_file  = tempnam(sys_get_temp_dir(), 'cookie');
$defaults = array(
        CURLOPT_URL => $url,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_HTTPHEADER => array(
                'CF-Access-Client-Id: XXXXX.access',
                'CF-Access-Client-Secret: XXXXX',
                'Accept: application/json,text/html,application/xhtml+xml',
        ),
        CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
        CURLOPT_COOKIEJAR => $cookie_file,
        CURLOPT_COOKIEFILE => $cookie_file
);
curl_setopt_array($ch, $defaults);
$response = curl_exec($ch);
if(curl_error($ch)){
        echo 'Request Error:' . curl_error($ch);
}
curl_close($ch);

This code returns the domain.cloudflareaccess.com page (Get a login code emailed to you) instead of hitting the actual endpoint. I thought Service Tokens allowed you to bypass that email verification process. Am I misunderdstanding how Service Tokens are supposed to work? Any thoughts about how I could go about troubleshooting this?

Thanks

2 Likes

Hello,
I hit the exact same issue. I was able to make it work by tweaking my access policies:

I created 2 of them:

  1. “Non Identity” decision policy with an “include” rule of type “access service token”
  2. “Allow” decision policy with custom IdP rules (based on domains, …)

Not sure it’s the best way and any “official” advice would be appreciated.

1 Like

Thanks @v114 “Non Identity” was the way to go. Much appreciated.