OpenID Connect

Entra ID as identity provider via OAuth 2.0 / OIDC. Cloudflare Access handles the token exchange.

Your Identity

Loading...

How This Works

When a request hits this page, Cloudflare Access checks for a valid CF_Authorization JWT. If absent or expired, it redirects the user to the Cloudflare login screen, which then redirects to Entra ID using the OAuth 2.0 authorisation code flow.

Entra authenticates the user (MFA if required by Conditional Access), returns an authorisation code to Cloudflare, and Cloudflare exchanges it for an ID token using the client secret. Cloudflare validates the token, applies the Access policy, and if allowed issues its own JWT to the user's browser as a cookie.

From this point, the user's Entra identity (email, name, groups) is available via /cdn-cgi/access/get-identity.

Entra Configuration

1. App Registration

1. Entra ID → App registrations → New registration
2. Name: Cloudflare Access — OIDC Demo
3. Supported account types: Accounts in this organisational directory only
4. Redirect URI: Web → https://<your-team>.cloudflareaccess.com/cdn-cgi/access/callback

2. Client Secret

1. Certificates & secrets → New client secret
2. Note the secret value immediately — it is not shown again

3. Note Required Values

From the app registration overview: Application (client) ID and Directory (tenant) ID. You will need both in Cloudflare.

Cloudflare Configuration

1. Add Identity Provider

1. Zero Trust → Settings → Authentication → Add new → Azure AD
2. Enter App ID, Client Secret, and Directory ID from Entra
3. Enable Support Groups if you want to use Entra group membership in policies
4. Test the connection before saving

2. Add Access Application

1. Zero Trust → Access → Applications → Add an Application → Self-hosted
2. Domain: barbicancloud.co.uk/oidc/* (path) or oidc.barbicancloud.co.uk (subdomain)
3. Select the Azure AD identity provider added above (deselect One-time PIN)
4. Add a policy: Action = Allow, Selector = Emails or Azure Group

Routing