It’s only early days but I thought I’d share with the community that I’ve released a WordPress plugin on WordPress.org to integrate with Cloudflare Access.
The plugin is located here: AH JWT Auth
The plugin validates an incoming JWT from a HTTP header and extracts the
If a matching user doesn’t exist, one will be created with the default role set up for your WordPress install (usually the
The plugin is not Cloudflare Access specific (but that was the primary reason for writing the plugin) so by default it will look at the “standard”
Authorization: bearer header, but this can be overridden to instead look for the
Cf-Access-Jwt-Assertion header instead.
Finally this plugin won’t deny access for requests that don’t include a JWT, it just signs the user in if the request includes a JWT. After that it’s over to WordPress to handle cookies etc, so you could just protect the
/wp-admin/ path for admin SSO and nothing else.
Constructive feedback is welcome.