I have setup Access to require user login, and am able to pull the email address from the cf-access-jwt-assertion header. My question is, do I need to validate the JWT before I really know that I have the correct email address in a Pages Function?
As I understand it, the point of the validating the JWT is to protect against tampering. But, my tests with Postman indicate that you can’t set cf-access-jwt-assertion from the client (could some verify that?). It seems that header is only set by Cloudflare’s middleware, as derived from the cookie. And, if you tamper with the cookie, Access doesn’t let you past. Without a valid cookie, Access sends you to the login page. So, in the context of a Pages Function, can I assume that the header’s JWT is valid because Access wouldn’t have allow the Pages Function to run if it wasn’t? In other words, didn’t Access already do the validation for me?
If my understanding is correct, passing the JWT to something else would break the chain of custody this assumption is based on. I think I can assume the JWT is valid in the Pages Function because the Pages Function can’t execute unless Access has already validated the cookie. If I pass the JWT to some other code that isn’t fully protected by Access, I no longer have any guarantees of validity and must validate for myself.
In short, I want to do some routing in my middleware that depends on the user’s identity (via email address). I’d rather not have to fetch the JWKS and do the validation for each and every middleware request if Access is already giving me validity guarantees.
Thank you so much for your assistance!