Restrict access to workers.dev url using Access applications

Hi there !

I tried to restrict the access to a worker published on workers.dev by setting up an Access Application (https://developers.cloudflare.com/access/getting-started/applications). Everything has been configured properly (rule, identity provider) and I can see the new app in the App launcher page, asking for credentials from my identity provider, but a direct access to the workers.dev url is still possible without any protection. Any thoughts about what I could have missed?

Thanks

So you’re not using this through a URL at your domain?

Does this mean that Access is working for the URL that you specified in Access?

You can shut off connections to the workers.dev URL.

I will use a custom domain and shut off the access to workers.dev, but on the application configuration screen you can also choose a workers.dev url so I expected this to be working. If Access is not working properly with workers.dev it should be fixed or removed from the configuration options. I tested with my own domain and it’s working fine.

Like many hostname-dependent features of Cloudflare, it doesn’t error-check to see if you’re typing in a valid subdomain. And if it were to not allow you to add an inactive workers subdomain, what do you suggest to happen if it was an active subdomain, then you deactivate it? Should that Access setting be deleted?

I think you don’t get me. On the screen below the “select a domain” dropbox is showing all you custom domains + “workers.dev”. It appears that for some reasons a valid subdomain on workers.dev is not protected by access, so I’m wondering if it’s a bug or a limitation.

But a valid domain on workers.dev is protected by Access. If that workers.dev URL is enabled. If that workers.dev URL isn’t deployed, then it doesn’t resolve.

I must have something misconfigured. Little test:
-> this url is deployed https://auth-test.webtales.workers.dev/
-> access is configured


but still not protected. If I shut off the workers.dev publication and use a custom domain it will be protected.