Skip to main content

Cloudflare Access

Support level: Community

What is Cloudflare Access

Cloudflare Access is a secure, cloud-based zero-trust solution for managing and authenticating user access to internal applications and resources.

-- https://www.cloudflare.com/zero-trust/products/access/

Preparation

The following placeholders will be used:

  • mysubdomain.cloudflareaccess.company is the FQDN of your Cloudflare Access subdomain.
  • authentik.company is the FQDN of the authentik install.

To proceed, you need to register for a free Cloudflare Access account and have both a Cloudflare account and a publicly accessible authentik instance with a trusted SSL certificate.

authentik configuration

Step 1: Log in to authentik

  1. Log in to your authentik instance.
  2. Click Admin interface.

Step 2: Create a new authentication provider

  1. Under Application, click Providers and create a new provider.
  2. Choose OAuth2/OpenID Provider and then click Next.
  3. Set the authorization flow to Authorize Application (default-provider-authorization-explicit-consent).
  4. Set the client type to Confidential.
  5. Set the redirect URI to https://mysubdomain.cloudflareaccess.company/cdn-cgi/access/callback.
  6. Ensure that the signing key is set to Authentik Self-signed Certificate.
  7. Click Finish to create the provider.

Step 3: Create a new application

  1. Create a new application and give it a name.
  2. Set the provider to the one you just created.
  3. Ensure that the Policy engine mode is set to ANY, any policy must match to grant access.
  4. Click Create and then navigate to your Cloudflare Access dashboard.

Cloudflare Access configuration

Step 4: Configure Cloudflare Access

  1. Go to the Cloudflare One dashboard.
  2. Click Settings at the bottom of the menu, then select Authentication.

Step 5: Add a login method

  1. From Login methods click Add and select OpenID Connect"
  2. Enter a name for your login method. This can be anything.
  3. Copy the following details from the authentik provider settings you previously created and paste them into the text boxes:
    • Client ID -> App ID
    • Client Secret -> Client Secret
    • Authorize URL -> Auth URL
    • Token URL -> Token URL
    • JWKS URL -> Certificate URL
  4. Click Save.
  5. Click Test to verify your login provider.