Current authentication tokes is expired - can't access anything

Hi,

i’ve been using Cloudflare Teams for over a year now. Everything worked fine until today. I encountered the following error page, after I successfully identified myself:

I tried to switch my identity provider from Google to one-time password, recreated the applications, revoked access for all users and created all rules and applications from scratch. But every application I try to access redirects me to this page.

Any help would be appreciated.

2 Likes

I think I’m seeing this exact issue, and have tried the same steps to remedy including clearing browser cache and cookies.

Current authentication token is expired.
Try again later. If the problem persists, contact the administrator.

On my team I have:

  • App Launcher Policy set to allow the correct @example.com emails
  • Only One-time-pin authentication active
  • App Launcher Session duration 24 hours

Steps to reproduce:

  1. Visit my app launcher url (e.g. example.cloudflareaccess.com)
  2. Click Login
  3. Enter my email address (e.g. [email protected])
  4. Get the OTP via email and enter in the OTP field

Expected result:
See App Launcher

Actual result:
See the following error:

image

I just noticed that Cloudflare pushed a new update to Access today, so my guess is that if this is a bug, the bug might be related to this release:

Hi, any update on this? Same issue here.
We were trying warp and when trying to authenticate with our cloudflare teams account we were stuck in a loop. A suggestion was to change the cloudflareaccess domain which we did. Since then, unable to use any external auth provider.

Did everything we can think of. Disconnected the providers, re-created the Oauth2 connections, revoked tokens, re-created argo tunnels etc… Tried different auth providers. Getting the same issue and no access to our systems.

mmm. Not even OTP is working, same error. Wish there was an official response.

1 Like

@MoreHelp

Alex did you ever get this sorted?

Hi, we’ve been unable to access our cloudflareaccess.com domain for over 2 days due to this issue. There is another ticket raised by someone else which is not getting much attention so I’m lodging a new one.

When trying to login to our cloudflareaccess.com domain, regardless of which authentication we choose (Google, Azure, OTP), once authenticated we are presented with error: “Current authentication token is expired”. As such, we are unable to access any of our tunnels for anything else on Teams.

When did it start:
We were trying out WARP for the first time, and authenticating was sending us in a loop. A suggestion on the community forum was to change the domain name, so we did. Then everything broke.

What we’ve done to try and resolve it:

  • Recreated tunnels, oauth integration etc. Tunnels connect, oauth tests all pass with green ticks. Cloudflare logs intidate successful auth.
  • Changed domain back to original, no change
  • Configured OTP. Get password to email, no change.

The only way now to access our resources is to put in a bypass rule within each policy, which is not ideal and needs to be resolved.

It looks like nobody in the Community has gone through this and found a solution.

Next step is to open a ticket via dashboard or email (support AT cloudflare DOT com)

Be sure to post the ticket # in this thread so it can be escalated.

Thanks, Ticket# 2274869

Note that they keep auto-closing my tickets even though I have a TEAMS paid license

While you have a ticket, maybe you can also note that you have the TEAMS paid license (Standard, right?) and you don’t have Live Chat activated.

I’ll escalate and include a comment about chat.

2 Likes

Yes that’s correct. Upgraded today so probably takes a little for chat to kick in, appreciate it

image001.png

image002.png

image003.png

1 Like

I’m pretty sure it’ll never kick in on its own if you’re not on a Biz/Ent plan…in which case you’d already have Chat. So…no chat until it’s manually activated by Support.

1 Like

Unfortunately no.
I had to bypass CF and setup nginx authentication to protect my application. But that is definitely not ideal.

@ddicello Thanks for taking this further.

:point_up: I did this too, just before the problem started.

I “resolved” this for my own use case by creating a new account, using a previously-unused domain I had. This is obviously not ideal, as all clients connecting to proxied apps directly need to update their bookmarks, but for my simple setup (only three clients) this worked.

Hi All,

This is a known issue affected accounts that updated their Team/Auth Domain name. We are working on a fix and should hopefully have this resolved today.

1 Like

If you are still experiencing this issue, please contact us and provide a ticket number here and we’ll be happy to assist.

1 Like

We believe this issue should be resolved. The only step required is if a user still has a CF_Authorization cookie, they will need to delete that cookie before attempting to reauth.

If you continue to experience issues, please file a support ticket per Chris’ instructions. Thank you all for your patience and sorry for the inconvenience caused here.

1 Like

No def not…

FYI I’ve been informed it is a wide issue which they’ve just resolved, we can now access as per normal

image001.png

image002.png

image003.png

Ok Thanks

It may be too late but I’ve been informed it is a wide issue which they’ve just resolved, we can now access as per normal

image001.png

image002.png

image003.png