How can I secure my Authentik instance with CF zero trust without breaking SSO

What is the name of the domain?

auth.example.com

What is the issue you’re encountering

OIDC via Authentik stops working with non SERVICE_AUTH access policies

What are the steps to reproduce the issue?

I successfully set up a CF tunnel to my VPS where nginx is configured as a reverse proxy to forward traffic to several self-hosted web applications (each their own subdomain). I was able to secure my web apps (excluding Authentik) using an email authorization step and geolocation restrictions. All of my web apps are configured to use Authentik (OIDC) as a SSO. However, if I add the same access policy to Authentik (auth.example.com), logging in to any of these web apps no longer works, throwing some arbitrary “failed to login” or “something went wrong” error. My intentions are to not directly expose Authentik to the public internet but hide it behind some other type of authentification (preferrably email). The only method of restricting access that worked for me was using SERVICE_AUTH in combination with IP allowlisting.However, I don’t want to use IP allowlisting to begin with. I was also experimenting with WARP, but SERVICE_AUTH doesn’t support the WARP Gateway restriction.

Is this setup not possible?

I am trying to achieve this exact set up, were you able to figure this out?

Hey! The Gateway/WARP restriction should work with service auth. You may need to go into Device Posture and add those as posture checks. Then they should show up in the policy builder. Otherwise you would need to use a Service Token or IP allow list like you described.

I think you might also be able to leverage some specific Bypass policies for the Authentik authentication URLs while enforcing Access auth in front of all the admin pages. You can create a second Access app for a specific url path and bypass, which I’ve seen work with other similar setups.