You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ Cloudflare Access provides visibility and control over who has access to your [c
21
21
1. At your SaaS provider account, select [Zero Trust](https://one.dash.cloudflare.com).
22
22
2. Go to **Access** > **Applications**.
23
23
3. Select **Add an application** and, for type of application, select **Self-hosted**.
24
-
4. Enter a name for your Access application and, in **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
24
+
4. Enter a name for your Access application and, in **Session Duration**, choose how often the user's [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) should expire.
25
25
5. Select **Add public hostname**.
26
26
6. For **Input method**, select _Custom_.
27
27
7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).
| Global session token | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. |[Global session duration](#global-session-duration)| Your Cloudflare <GlossaryTooltipterm="team domain">team domain</GlossaryTooltip> |
19
-
|[Application token](/cloudflare-one/identity/authorization-cookie/application-token/)| Allows the user to access a specific Access application. |[Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration)| The hostname protected by the Access application |
19
+
|[Application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/)| Allows the user to access a specific Access application. |[Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration)| The hostname protected by the Access application |
20
20
21
21
The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP.
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token.mdx
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ As shown above, the JWT contains three Base64-URL values separated by dots:
16
16
-[Payload](#payload)
17
17
-[Signature](#signature)
18
18
19
-
Unless your application is connected to Access through Cloudflare Tunnel, your application must [validate the token](/cloudflare-one/identity/authorization-cookie/validating-json/) to ensure the security of your origin. Validation of the header alone is not sufficient — the JWT and signature must be confirmed to avoid identity spoofing.
19
+
Unless your application is connected to Access through Cloudflare Tunnel, your application must [validate the token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to ensure the security of your origin. Validation of the header alone is not sufficient — the JWT and signature must be confirmed to avoid identity spoofing.
20
20
21
21
## Header
22
22
@@ -55,7 +55,7 @@ The payload contains the actual claim and user information to pass to the applic
| type | The type of Access token (`app` for application token or `org` for global session token). |
123
-
| aud | The [application audience (AUD) tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) of the Access application. |
123
+
| aud | The [application audience (AUD) tag](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#get-your-aud-tag) of the Access application. |
124
124
| exp | The expiration timestamp of the JWT (Unix time). |
125
125
| iss | The Cloudflare Access domain URL for the application. |
126
126
| common_name | The Client ID of the service token (`CF-Access-Client-Id`). |
@@ -129,6 +129,6 @@ Access will return a JSON structure containing the following data:
129
129
130
130
## Signature
131
131
132
-
Cloudflare generates the signature by signing the encoded header and payload using the SHA-256 algorithm (RS256). In RS256, a private key signs the JWTs and a separate [public key](/cloudflare-one/identity/authorization-cookie/validating-json/#access-signing-keys) verifies the signature.
132
+
Cloudflare generates the signature by signing the encoded header and payload using the SHA-256 algorithm (RS256). In RS256, a private key signs the JWTs and a separate [public key](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#access-signing-keys) verifies the signature.
133
133
134
134
For more information on JWTs, refer to [jwt.io](https://jwt.io/).
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/index.mdx
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,7 @@ Access generates two separate `CF_Authorization` tokens depending on the domain:
18
18
19
19
-**Global session token**: Generated when a user logs in to Access. This token is stored as a cookie at your <GlossaryTooltipterm="team domain">team domain</GlossaryTooltip> (for example, `https://<your-team-name>.cloudflareaccess.com`) and prevents a user from needing to log in to each application.
20
20
21
-
-[**Application token**](/cloudflare-one/identity/authorization-cookie/application-token/): Generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example, `https://jira.site.com`) and may be used to [validate requests](/cloudflare-one/identity/authorization-cookie/validating-json) on your origin.
21
+
-[**Application token**](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/): Generated for each application that a user reaches. This token is stored as a cookie on the protected domain (for example, `https://jira.site.com`) and may be used to [validate requests](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json) on your origin.
22
22
23
23
### Multi-domain applications
24
24
@@ -36,19 +36,19 @@ The following Access cookies are essential to Access functionality. Cookies that
|[JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com`[team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | <details><summary>View</summary>If set, adheres to [global session duration](/cloudflare-one/access-controls/access-settings/session-management/#global-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes | None | Required |
39
+
|[JSON web token (JWT)](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com`[team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | <details><summary>View</summary>If set, adheres to [global session duration](/cloudflare-one/access-controls/access-settings/session-management/#global-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes | None | Required |
|[JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Admin choice (Default: None) | Admin choice (Default: None) | Required |
45
+
|[JSON web token (JWT)](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/access-controls/access-settings/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/access-controls/access-settings/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Admin choice (Default: None) | Admin choice (Default: None) | Required |
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json.mdx
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ sidebar:
7
7
8
8
import { GlossaryTooltip } from"~/components";
9
9
10
-
When Cloudflare sends a request to your origin, the request will include an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header. Requests made through a browser will also pass the token as a `CF_Authorization` cookie.
10
+
When Cloudflare sends a request to your origin, the request will include an [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header. Requests made through a browser will also pass the token as a `CF_Authorization` cookie.
11
11
12
12
Cloudflare signs the token with a key pair unique to your account. You should validate the token with your public key to ensure that the request came from Access and not a malicious third party. We recommend validating the `Cf-Access-Jwt-Assertion` header instead of the `CF_Authorization` cookie, since the cookie is not guaranteed to be passed.
0 commit comments