How Access Works

If you use Cloudflare, it’s likely your requests are already being proxied through our 150+ data centers around the world. With Access enabled, when a request is received by Cloudflare, we check if that visitor is allowed to reach your application based on policies you control. If your visitor does not already have a valid session cookie from Cloudflare Access, they will be redirected to your custom Access login page to sign in.

At that login page, your users will be able to authenticate with an identity provider (IdP) you configured (or just their email if you configure One-Time Pin). Once they login with their IdP, the provider will pass back its authentication decision to Cloudflare.

You are provided with the headers you need to know who this user is without needing to manage any of the overhead of their authentication. You can place Access in front of resources that normally require a VPN, like development sites, self-hosted tools, and external services you host as a subdomain of your site.

We provide you with the headers to identify the users without the need to manage additional overhead of authentication modules or VPN configuration. Place Access in front of resources like development sites, self-hosted tools, and APIs.

Access sessions are shared between all sites in your Cloudflare account. If a user is authenticated for one, and permitted to reach another, they can seamlessly use the tools they need to do their best work.

To secure your origin, you must first enable Argo Tunnel or limit connections to your origin to only allow Cloudflare IPs and verify the JWT per the instructions here.

Deep Dive

access-flow

    • A user tries to reach test.example.com a website protected by Cloudflare Access. The request will be intercepted at the Cloudflare Edge network. Cloudflare checks if the request has a valid CF_AUTHORIZATION cookie. In this example, we do not have a cookie yet. So Cloudflare Access looks up your Access configuration and redirects the user to your login page. Your user can select the configured identity provider and proceed to login with their IdP credentials.
  • When the user clicks on the identity provider, Access redirects the request to your configured identity provider.

  • The identity provider login page is displayed to the user.

  • The user inputs their credentials and clicks login button.

  • Upon successful authentication the identity provider generates an access token and calls the callback URL which will return the access token to Cloudflare Access.

  • Cloudflare Access uses the token to fetch user information (email address, name etc.) from the identity provider.

  • Access uses the information to check the access policies for test.example.com and determines if the user should be granted access.

  • If the user should be able to access to the application, Access generates a JWT and injects the JWT into a CF_AUTHORIZATION cookie

  • The JWT is valid for a period of time that you control and can be revoked at any time.

  • Cloudflare Access then redirects the request to the origin server.

  • The user is able to access test.example.com.