Service token best practice

writing here because i don’t know if there is a better channel to ask this question. it relates to zero trust/cloudflare access. We have a use case where we want to secure a web application we developed that is served up wthin a webview within an ios app. we don’t want users having to login, as if the request comes from the webapp then we want it to get right in. My understanding is that Service Tokens within cloudflare access would be a proper solution to this. However, we cannot control the http headers that the app passes, so we i’m thinking that we need to create a new endpoint/worker that will be available outside of access security that will then make the request with the service token headers and return back the jwt, etc…And then within that new endpoint/worker to have some test that ensures that the request originated from the authorized ipad app. Wondering if this is a solid approach, and/or if there are better ways to address this that may be considered best practice.

in this scenario we have full control over where the app is installed, so we are not worried about unauthorized app installs.

Assuming you are correct in your assumption that the app will only ever be installed on authorised devices, that seems like a reasonable solution. The attack vector here is that anyone with access to the app would technically be able to reverse-engineer the authorisation and forge requests after that. But in this scenario you won’t ever truly be able to avoid that anyway.

1 Like