Unified Cloudflare Teams application authorization

The application I am trying to protect using Cloudflare Access has a frontend subdomain and a backend subdomain. The Cloudflare Access application uses a wildcard subdomain that includes both domains. When the user logs in to the frontend, the webapp is broken because the backend returns with 302 status.

Is there a way to unify the CF_Authorization cookies in some way? Or maybe WARP can automatically log me into the applications? I do not want my frontend to open a bunch of popups for every subdomain that is accessed.

Any information is helpful. Thank you!

Whilst I’m unsure of how to get the cookies as the same, I do know that you can automatically sign in users with the WARP Client. (I suspect that WARP attributes may also include other WARP+ users, so I prefer to use Gateway, but they’re basically the same thing)

Go to dash.teams.cloudflare.com, then go to My Team → Devices → Device Posture, and add Gateway (or WARP if that’s what you want).

Then, do either one of these (you don’t need both):

  1. (Specific Applications) Go into Access → Applications, and under one of your application policies, add an Include rule for Gateway/WARP.
  2. (All Applications) Go into My Teams → Groups, select the Default Group, and then add an Include rule for Gateway/WARP. Any application that uses the Default Group settings will allow WARP clients to sign in.
1 Like

That’s interesting, I didn’t know you could include WARP status of the device in policies.

However, my problem is that users have to open both frontend.application.com and api.application.com in browser tabs before they can use my application. Even if they are authorized to access both domains, they must open both domains in a separate browser window for Cloudflare to set the cookies. Otherwise, api.application.com redirects to a login page instead of json data.

This doesn’t make sense because api.application.com is a REST api, not a website. If I was to add 3 more subdomains later, then the user would need to open 5 tabs and close 4 of them before they can use my application.

Since I have automatic login enabled with a SAML IdP, Cloudflare could redirect to IdP ACS and then redirect back to api.application.com but it returns a login page instead. Also, since I’m using a wildcard subdomain application, Cloudflare could add both domains in the cookie’s domain, but it doesn’t. I have also tried to include api.application.com on my site as an iframe element, but Cloudflare’s CSP doesn’t allow for it. I’ll be looking for a workaround.

Thank you for your help!

On this link, it does mention that during the authorization flow, Cloudflare will eventually handle it after a while, however it the cookies are different for every domain (hence why you’re running into that many login screens).

Service Tokens I believe are a way to resolve this issue, however you might want to also look into how Access handles CORS requests. On that above link, it does mention allowing all origins or ‘null’ using CORS, however I’m not sure if this will fix your issue.

1 Like

That’s actually very useful, I hadn’t realized that redirects caused Origin to be null. The problem with what I was doing is that I was using “Incognito” mode for testing and it was blocking the Set-Cookie response from domain.cloudflareaccess.com. I feel very stupid, but now that I added null to Access-Control-Allow-Origin and that I’m testing from an actual browser window, it’s working flawlessly.

Since I wildcarded the application, I wish I could also wildcard the Access-Control-Allow-Origin setting, but I guess that’s a minor issue.

Thank you very much for you help!

1 Like