Unable to use Access CORS with Access


I try to replace my VPN by CloudFlare Teams / Access

We have 2 domains, configured as 2 “applications” in CloudFlare :

domainA.io and domainB.io are configured to accept only users in a Google Group. This is working fine.
But API requests from domainA.io to domainB.io are redirected to CloudFlare login page, even if I’m logged to domainA.io and domainB.io.

Apparently, Simple Request requires a different configuration, but both Simple Requests and requests with preflight are redirected.

I try some CORS configurations ike this one: Cloudflare Access CORS issue
Current configuration of domainB.io is:

  • Access-Control-Allow-Credentials: Checked
  • Access-Control-Max-Age (seconds): 86400
  • Access-Control-Allow-Origin: https://domainA.io
  • Allow all http headers: Checked
  • Allow all methods: Checked
    This is not working, requests are redirected to CloudFlare login.

An alternative solution is to add an application with the specific path of the API and a BYPASS policy, but in this case the API is not secured.

How can I have CORS request working?

Thanks !

You can use a Service Auth rule here to authenticate API traffic. Then you can create a service token that is used to authenticate the API traffic. Service tokens · Cloudflare for Teams docs

Thank @kjohnson1, I thought about it but I prefere to avoid code modifications for this, if possible.