diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx index ffcdebfa528e4fb..55b383ab385281a 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx @@ -102,6 +102,62 @@ To get the AUD tag: You can now paste the AUD tag into your token validation script. The AUD tag will never change unless you delete or recreate the Access application. +### Cloudflare Workers example + +When Cloudflare Access is in front of your [Worker](/workers), your Worker still needs to validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request. + +The following code will validate the JWT using the [jose NPM package](https://www.npmjs.com/package/jose): + +```javascript +import { jwtVerify, createRemoteJWKSet } from 'jose'; + +export default { + async fetch(request, env, ctx) { + // Get the JWT from the request headers + const token = request.headers.get('cf-access-jwt-assertion'); + + // Check if token exists + if (!token) { + return new Response('Missing required CF Access JWT', { + status: 403, + headers: { 'Content-Type': 'text/plain' } + }); + } + + try { + // Create JWKS from your team domain + const JWKS = createRemoteJWKSet(new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`)); + + // Verify the JWT + const { payload } = await jwtVerify(token, JWKS, { + issuer: env.TEAM_DOMAIN, + audience: env.POLICY_AUD, + }); + + // Token is valid, proceed with your application logic + return new Response(`Hello ${payload.email || 'authenticated user'}!`, { + headers: { 'Content-Type': 'text/plain' } + }); + + } catch (error) { + // Token verification failed + return new Response(`Invalid token: ${error.message}`, { + status: 403, + headers: { 'Content-Type': 'text/plain' } + }); + } + }, +}; +``` + +#### Required environment variables + +Add these [environment variables](/workers/configuration/environment-variables/) to your Worker: + - `POLICY_AUD`: Your application's [AUD tag](#get-your-aud-tag) + - `TEAM_DOMAIN`: `https://.cloudflareaccess.com`, where `` is replaced with your actual team name. + +You can set these variables by adding them to your Worker's [Wrangler configuration file](/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** > **your-worker** > **Settings** > **Environment Variables**. + ### Golang example ```go @@ -246,7 +302,7 @@ if __name__ == '__main__': app.run() ``` -### JavaScript example +### JavaScript (Node.js) example ```javascript const express = require("express"); @@ -292,7 +348,3 @@ app.get("/", (req, res) => { app.listen(3333); ``` - -## Related resources - -- [Verifying JWTs in Cloudflare Workers](https://kinde.com/blog/engineering/verifying-jwts-in-cloudflare-workers/) - Implement JWT verification in Cloudflare Workers.