JWT Verification for Cloudflare Access


#1

Hi All,

I’m new to Cloudflare Access. I was able to configure it pretty easily, but am having some difficulty verifying JWT tokens: https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/.

My selected method is Programmatic via Python. I’ve got all the dependencies installed, and have updated the supplied script with my audience tag and auth domain. Unfortunately, I’m getting a 403 and, “missing required cf authorization token.”

In addition to the setup instructions, are there other steps I need to take verify the token?

I apologize if this is a ridiculous question or have provided incomplete information. It’s not intentional. I’m trying to learn. Thank you for your patience.


#2

For starters, I am neither overly familiar with Access nor with Python, so I am a bit in uncharted waters here :slight_smile: however from your description and the code listed under the linked page I would get the impression the 403 you were referring to is the else branch in the first if of the wrapper function. Would that be about right?

    def wrapper():
        token = ''
        if 'CF_Authorization' in request.cookies:
            token = request.cookies['CF_Authorization']
        else:
            return "missing required cf authorization token", 403
        keys = _get_public_keys()

If that is the case it would seem as if your request did not contain the CF_Authorization cookie which is supposed to hold the token.

Cloudflare Access generated JWT tokens are available in a request header as Cf-Access-Jwt-Assertion and cookie as CF_Authorization.


#3

Did you hardcode those variables or are you reading them in as ENV variables? If you’re reading the in, can you echo them to make sure they are correct?


#4

Hi Sandro,

Yes. I think you’re right. Thanks!


#5

Hi,

I hardcoded the variables, copy/pasting my auth domain and audience tag.

Before I waste more of anyone’s time, I’ll explain what I’ve done. I’m a beginner. Sometimes, I think I understand how something works, but my assumptions are wrong, and it actually works in a different way.

I’m attempting verification from my local environment. The word verification suggested to me that I’d just be making sure the key pair is signing correctly. I also believed this because I read the article on how Access works. I didn’t see any of the steps hitting the actual app server, or my my case a web server, until authentication was complete at step 9. To me, that meant, I wouldn’t need to run the script from my web server. I could be completely mistaken.

In my local environment, I’m using python3. I satisfied all the dependencies and executed the script.

After seeing this, please feel free to let me know I’m going about this the wrong way. Thanks for your time! :grinning:


#6

In that case I’d verify the authentication token is actually sent. If you dont send the authentication credentials/token you will naturally fail the authentication :slight_smile:


#7

That sounds like a great idea. Now, I need to figure out how to do that! It’s a good learning opportunity for me. Thanks! :grinning:


#8

You need to have a JWT token issued. https://developers.cloudflare.com/access/connecting-to-apps/service-token/ might help you in this context.


#9

Awesome! Thank you!