How Access Works

If you use Cloudflare, your requests are already being proxied through our 160+ data centers around the world. With Access enabled, when a request is received by Cloudflare, we check if that visitor is allowed to reach your application based on policies you control.

When a user attempts to connect, we redirect them to your custom Access authentication screen. They can follow the prompts to login with the identity provider you have configured. Once authenticated, Access redirects them to the application. All subsequent requests from that user are evaluated for succesful authentication.

Access creates a signed token for every user session which includes information you need to identify the user and the application they are reaching. You can place Access in front of resources that normally require a VPN, like development sites, self-hosted tools, and external services you host as a subdomain of your site.

Access sessions are shared between all sites in your Cloudflare account. If a user is authenticated for one, and permitted to reach another, they can seamlessly use the tools they need to do their best work.

To secure your origin, you must first enable Argo Tunnel or limit connections to your origin to only allow Cloudflare IPs and verify the JWT per the instructions here.

Deep Dive

access-flow

  • A user attempts to reach test.example.com a website protected by Cloudflare Access. The request will be evaluated for the presence of a token from Cloudflare when it hits the Cloudflare network, before it ever reaches your server. Cloudflare checks if the request has a valid CF_AUTHORIZATION cookie. In this example, the user does not have a cookie yet. Cloudflare Access looks up your Access configuration and redirects the user to your login page. Your user can select the configured identity provider and proceed to login with their IdP credentials.

  • When the user clicks on the identity provider, Access redirects the request to your configured identity provider. This step can be removed if you only use one identity provider.

  • The identity provider login page is displayed to the user.

  • The user inputs their credentials and clicks login button.

  • Upon successful authentication the identity provider generates an access token and calls the callback URL which will return the access token to Cloudflare Access.

  • Cloudflare Access uses the token to fetch user information (email address, name etc.) from the identity provider.

  • Access uses the information to check the access policies for test.example.com and determines if the user should be granted access.

  • If the user should be able to access to the application, Access generates a JWT and injects the JWT into a CF_AUTHORIZATION cookie

  • The JWT is valid for a period of time that you control and can be revoked at any time.

  • Cloudflare Access then redirects the request to the origin server.

  • The user is able to access test.example.com.