Unable to revoke user or device or session for Cloudflare Access

I am unable to revoke access to Cloudflare Access for a user or a device or a session.

Anyone else having this issue?

Hi @ned.12,

What are you trying to do and what’s not working? Do you get an error message when you try?

Have you read the docs on this:
https://developers.cloudflare.com/cloudflare-one/identity/users/session-management

I am unable to revoke access, as shown in this section of the docs: https://developers.cloudflare.com/cloudflare-one/identity/users/session-management#per-user

Or any other way for that matter. I click revoke, it says it successfully revoked the user, and yet if I refresh the page it still says they have access, and if I check the WARP client the session is still active and usable.

I have also tried to revoke a device session, however this also seems to have no effect on the WARP client that is connected either even though it does say that the session is revoked.

So, to summarise, i am unable to revoke access to Cloudflare Teams, which seems like a pretty big issue. Am I missing something?

I’m noticing the same behavior, specifically attempting to revoke access to a private network via WARP.

Steps to reproduce:

  1. Remove a user from a particular google group that grants access to the private network (both via a Gateway Network Policy and Device Enrollment Policy).
  2. Revoke/remove user/device in the Cloudflare Console.
  3. User continues to be able to make requests to private network via WARP.

Can confirm exactly the same behaviour. Device and user have been removed/revoked and yet they are still able to access the private network.

It’s as if the WARP client completely ignores the policies and sessions. Is this a known issue/bug? It seems pretty serious!

Sadly, I gave up on this. I specifically needed to be able to easily add and remove people, and this was a major deal-breaker for me. Hopefully, it gets sorted out as the product would be great if it worked as I think it’s intended to.

That’s unfortunate as it really is a standard security function of any remote access app. Like you said otherwise it’s a great product. Hopefully the issue gets some traction.