No app token set when validating jwt token from cloudflare worker

What is the name of the domain?

example.com

What is the issue you’re encountering

I’ve created a Zero Trust access applicaton that points at a cloudflare worker. The application user Azure AD. Authentication completes successfully but the worker can’t validate the jwt

What steps have you taken to resolve the issue?

The worker directs to the access application, I’m able to log in via SSO but then I get the no app token set error. I’ve extracted the jwt from the console and I get the same error when testing with curl. I’ve decoded the jwt and it appears valid and the aud tag matches the application. Here is the relevant section of worker code:

export default {
async fetch(request, env, ctx) {
const { pathname } = new URL(request.url);

  // Check if the request has been authenticated by Cloudflare Access
  const cfProperties = request.cf || {};
  const authorization = request.headers.get('cf-access-jwt-assertion');

  if (!authorization) {
    // If there's no Cloudflare Access JWT, redirect to login
    return Response.redirect('https://<redacted>.cloudflareaccess.com/cdn-cgi/access/login/<app-id-redacted>', 302);
  }

  try {
    // Verify the JWT from Cloudflare Access
    const jwt = await fetch('https://<redacted>.cloudflareaccess.com/cdn-cgi/access/get-identity', {
      headers: {
        'Authorization': `Bearer ${authorization}`,
      }
    });

    if (jwt.status !== 200) {
      return new Response('Access Denied', { status: 403 });
    }

Validate JWTs · Cloudflare Zero Trust docs

I resolved this by using the public key validation method instead.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.