Single Sign On with Authentik for your services behind Cloudflare zero trust
Update Dec 25, 2024: steps updated for Authentik release 2024.12.1
Assumptions:
- you are already exposing a simple website
service.example.com
through Cloudflare Zero Trust - this service is currently publicly accessible with no authentication whatsoever
- Authentik is already installed (it’s really just a
.env
and adocker-compose.yml
) and available athttps://auth.example.com
(behind Cloudflare too, in my case). - you want to put the service behind an OpenID connect authentication
- you want any authenticated Authentik user to access the webpage
You will need to find the name of your Cloudflare team:
- Go to https://one.dash.cloudflare.com/
- Settings > Custom Pages
- Save the URL found under “Team domain”, this will be used in the next step
In Authentik create a new provider:
- Application > Providers > Create
- Choose OAuth2/OpenID Provider
- Name:
Cloudflare
- Authorization flow:
default-provider-authorization-implicit-consent
- Client type:
Confidential
- Client ID: copy and save
- Client Secret: copy and save
- Redirect URI/s (use your Team domain found in the previous step):
- Strict
https://YOURTEAM.cloudflareaccess.com/cdn-cgi/access/callback
- Signing Key:
authentic Self-signed Certificate
Click Finish.
IMPORTANT: If you don’t choose the signing key you’d likely get an error “Failed to fetch user/group information from the identity provider”
NOTE: At this point, the provider gives a warning “Provider not assigned to any application”. Let’s take care of that now.
Still in Authentik, go to Applications > Applications:
- Click Create
- Name:
Cloudflare
- Slug:
cloudflare
- Provider:
Cloudflare
- Policy engine mode:
ANY
Click “Create”.
Choose your account.
Create an identity provider:
- Settings > Authentication
- Under Login method, click “Add new”
- Select OpenID Connect as the identity provider
- Name:
Authentik
- App ID: paste Client ID saved earlier
- Client secret: paste Client secret earlier
- Auth URL:
https://auth.example.com/application/o/authorize/
- Token URL:
https://auth.example.com/application/o/token/
- Certificate URL:
https://auth.example.com/application/o/cloudflare/jwks/
(thecloudflare
part of the URL is theslug
defined in the previous step! Update accordingly.) - Save
- Test: it should quickly connect to Authentik and say “Your connection works!”
Still in Cloudflare Zero trust, create an application:
- Go to Access > Applications
- Add an application
- Self-hosted
- Enter an application name:
myapp
- Session duration:
24 hours
- Application domain: specify the address of your currently exposed service (found in Access > Tunnels > )
- Identity providers: untick “accept all available identity providers” and select only “OpenID Connect Authentik”
- Tick “Skip identity provider selection if only one is configured”
- Next
- Policy name: allow
- Action: allow
- Session duration: same as application
- Selector: Everyone
- Next
- Add
Go to your website. You will be redirect to Authentik to something like https://auth.example.com/if/flow/default-authentication-flow/...
If not already authenticated in Authentik, do so.
You can now see your website. Your website is now secure!