Receive HTTP status 401 instead of 200 when using invalid service token or JWT

Hi all,

We created an ‘Acces Service Token’ which we can use from our external tool to authenticate. Also we use ‘AzureAD’ as a login method which can be used in the browser.

It’s all working fine, but when an invalid (or expired) client ID/secret or JWT is used, the default ‘Cloudflare Access’ page with a ‘Sign in’ suggestion is returned with HTTP status 200. In our external tool, how can we differentiate this page from the ‘desire response’ from our application? It would be nice if an HTTP status 401 is returned instead of a 200, is that possible?

While Googling I found the screenshot below. It seems it’s somewhere in ‘Access policies’ but I cannot find it.

Thanks in advance!

It should just appear when editing a policy that has the Service Auth action.

Thanks for your reply!

I just cannot find that screen… How do you get there?

When I go to ‘Access’ → ‘Access policies’ → ‘Create Access Policy’ I see the screen below, but apparently that’s a different screen.

That looks like the old dashboard - use and then click on Access on the left sidebar then Applications.

1 Like

Thanks again!

You are right! Now I see the 401 toggle (after I click ‘Service Auth’ again, even though ‘Service Auth’ was already selected, that seems like a bug in the GUI…).

I placed the policy on top of the other policies, but still I receive a HTTP 200 error when using an invalid CF-Access-Client-Id and invalid CF-Access-Client-Secret.

Does adding 'X-Requested-With': 'XMLHttpRequest' to the request headers help?

I just started testing this header in a Single Page App (ReactJS) context, and it seems to work as advertised, although I’m not using a service token, and I was getting response code 302 rather than 200.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.