Configure ZITADEL as an OIDC Identity Provider on Cloudflare Zero Trust
This guide shows how to configure ZITADEL as OpenID Connect identity provider for Cloudflare Zero Trust.
Prerequisites:
- Existing ZITADEL instance, organization, and project. Follow our get started guide to get started. If not present follow this guide
- Existing Cloudflare account and team domain
Create the client in ZITADEL​
Create the Cloudflare app
Go to the detail page of your project and click the "+"-button in the application-section. This will lead you to the the creation wizard.
Create the app by setting a name and select the application type "Web"
Select the authentication method
The authentication method defines the communication flow during a login
CodeUse if your application needs client id and client secret |
Redirect URIs
During the login flow the application defines where a user is redirected to after login or logout.
ZITADEL verifies if the URL the user gets redirected to is valid by checking if one of the redirect URIs match.
- Redirect URIs are verified during the login process.
- The default redirect uri of your app is
https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
- Post Logout URIs are verified during the logout process.
The default redirect uri of your app is https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
Review your configuration
The last page of the stepper shows a summary of what will be created. After you have reviewed the configuration you can create the application.
Client information
Please make sure to safe the client id and secret for later use in the application.
Send user info in tokens​
Make sure to enable "User Info inside ID Token" on your application settings.
Cloudflare will return an error "User email was not returned. API permissions are likely incorrect". Enable to send the user information inside the token on your client settings.
Configure Cloudflare Zero Trust Authentication​
- On the Cloudflare dashboard go to Zero Trust, click settings, and then select "Authentication"
- Add a new login method with the type "OpenID Connect"
- Fill in the required information. Check the discovery endpoint of your instance (https://{your_domain}/.well-known/openid-configuration) for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
- Disable PKCE (Cloudflare requires a client secret for PKCE, which is currently not supported)
- Add the following claims: "openid", "profile", "email"
- Test the connection
Example configuration​
{
"config": {
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"auth_url": "https://{your_domain}.zitadel.cloud/oauth/v2/authorize",
"token_url": "https://{your_domain}.zitadel.cloud/oauth/v2/token",
"certs_url": "https://{your_domain}.zitadel.cloud/oauth/v2/keys",
"scopes": ["openid", "email", "profile"],
"pkce_enabled": false,
},
"type": "oidc",
"name": "Generic Google"
}