With Cloudflare Access, you can create Allow or Block policies which evaluate the user based on custom criteria. This is done by adding an External Evaluation rule to your policy. The External Evaluation selector requires two values:

Evaluate URL — the API endpoint containing your business logic.

— the API endpoint containing your business logic. Keys URL — the key that Access uses to verify that the response came from your API

After the user authenticates with your identity provider, Access sends the user's identity to the external API at Evaluate URL. The external API returns a True or False response to Access, which will then allow or deny access to the user. To protect against man-in-the-middle attacks, Access signs all requests with your Access account key and checks that responses are signed by the key at Keys URL.

You can set up External Evaluation rules using any API service, but to get started quickly we recommend using Cloudflare Workers.

Set up external API and key with Cloudflare Workers

Prerequisites

1. Create a new Worker

Open a terminal and clone our example project. Terminal window npm create cloudflare@latest my-worker -- --template https://github.com/cloudflare/workers-access-external-auth-example Go to the project directory. Terminal window cd my-worker Create a Workers KV namespace to store the key. The binding name should be KV if you want to run the example as written. Terminal window npx wrangler kv namespace create "KV" The command will output the binding name and KV namespace ID, for example [[kv_namespaces]] binding = "KV" id = "YOUR_KV_NAMESPACE_ID" Open the Wrangler configuration file in an editor and insert the following: [[kv_namespaces]] : Add the output generated in the previous step.

: Add the output generated in the previous step. <TEAM_NAME> : your Cloudflare Zero Trust team name .

wrangler.jsonc

wrangler.jsonc wrangler.toml { " name " : "my-worker" , " workers_dev " : true , " compatibility_date " : "2024-08-06" , " main " : "index.js" , " kv_namespaces " : [ { " binding " : "KV" , " id " : "YOUR_KV_NAMESPACE_ID" } ], " vars " : { " TEAM_DOMAIN " : "<TEAM_NAME>.cloudflareaccess.com" , " DEBUG " : false } } name = "my-worker" workers_dev = true compatibility_date = "2024-08-06" main = "index.js" [[ kv_namespaces ]] binding = "KV" id = "YOUR_KV_NAMESPACE_ID" [ vars ] TEAM_DOMAIN = "<TEAM_NAME>.cloudflareaccess.com" DEBUG = false

2. Program your business logic

Open index.js and modify the externalEvaluation function to perform logic on any identity-based data sent by Access.

Note Sample code is available in our GitHub repository ↗ .

. To view a list of identity-based data fields, log in to your Access application and append /cdn-cgi/access/get-identity to the URL. For example, if www.example.com is behind Access, visit https://www.example.com/cdn-cgi/access/get-identity .

Deploy the Worker to Cloudflare's global network. Terminal window npx wrangler deploy

The Worker will be deployed to your *.workers.dev subdomain at my-worker.<YOUR_SUBDOMAIN>.workers.dev .

3. Generate a key

To generate an RSA private/public key pair:

Open a browser and go to https://my-worker.<YOUR_SUBDOMAIN>.workers.dev/keys . (Optional) Verify that the key has been stored in the KV namespace: In the Cloudflare dashboard, go to the Workers KV page. Go to Workers KV Select View next to my-worker-KV .

Other key formats (such as DSA) are not supported at this time.

4. Create an External Evaluation rule

In Zero Trust ↗, go to Access > Policies. Edit an existing policy or select Add a policy. Add the following rule to your policy:

Rule Type Selector Evaluate URL Keys URL Include External Evaluation https://my-worker.<YOUR_SUBDOMAIN>.workers.dev/ https://my-worker.<YOUR_SUBDOMAIN>.workers.dev/keys/

Save the policy. Go to Access > Applications and edit the application for which you want to apply the External Evaluation rule. In the Policies tab, add the policy that contains the External Evaluation rule. Select Save application.

When a user logs in to your application, Access will now check their email, device, location, and other identity-based data against your business logic.

Troubleshooting the Worker

To debug your External Evaluation rule: