cloudflared access problem with headers: CF_Authorization/cf-access-token

[scmanjarrez]

Hi, I've configured my gitlab server to use cloudflared to generate https and ssh tunnels. The ssh tunnel is working fine when cloning, however, the https endpoint doesn't work.

Describe the bug Whenever I try to clone using https, I'm redirected to Cloudflare Access portal when I send the following cookie:

cookie.txt, obtained from cloudflared access token -app=https://gitlab.myhost.es

CF_Authorization=eyJhbGciOiJSUzI1<redacted>;

Git clone

❯ ck=$(cat cookie.txt)
❯ git clone -c http.extraHeader="Cookie: $ck" https://gitlab.myhost.es/internal/internalresources.git                                                                                                               
Cloning into 'internalresources'...                                                                                                                                                                                
fatal: unable to update url base from redirection:                                                                                                                                                                 
  asked for: https://gitlab.myhost.es/internal/internalresources.git/info/refs?service=git-upload-pack                                                                                                               
   redirect: https://cfuser.cloudflareaccess.com/cdn-cgi/access/login/gitlab.myhost.es?kid=2f07f99436fc1049d833c3c40626b9ff2<redacted>&redirect_url=%2Finternal%2Finternalresources.git%2Fi
nfo%2Frefs%3Fservice%3Dgit-upload-pack&meta=eyJraWQiOiJlZjAyNjZj<redated>               
❯ 

However, sending the cookies used by the browser skips the access portal: cookie2.txt, obtained inspecting browser request

CF_Authorization=eyJhbGciOiJSUzI1<redacted>; CF_Binding=eyJhbGciOiJSUzI1NiIsImtpZCI<redacted>;

Git clone

❯ ck2=$(cat cookie2.txt)
❯ git clone -c http.extraHeader="Cookie: $ck2" https://gitlab.myhost.es/internal/internalresources.git                                                                                                               
Cloning into 'internalresources'...                                                                                                                                                                                
Username for 'https://gitlab.myhost.es': ^C             
❯ 

Cloudflared configuration:

• Tunnel ID : b065ebdd-7ce0-4ffc-90e3-0ef16bb96a54

  tunnel: b065ebdd-7ce0-4ffc-90e3-0ef16bb96a54
  credentials-file: /home/S/.cloudflared/b065ebdd-7ce0-4ffc-90e3-0ef16bb96a54.json                                                                                                                       
  ingress:
  - hostname: gitlab.myhost.es
  service: http://localhost:8000
  - hostname: gitlab-ssh.myhost.es
  service: ssh://localhost:2222
  - service: http_status:404

Expected behavior Clone the repository

Environment and versions

• OS: Ubuntu 20.04
• Architecture: amd64
• Version: cloudflared version 2023.6.1 (built 2023-06-20-0927 UTC)

Additional context I've tried pre-login with cloudflared, but it exits with "Could not verify token" error after accepting the two banners.

❯ cloudflared access login gitlab.gicp.es
A browser window should have opened at the following URL:

https://gitlab.myhost.es/cdn-cgi/access/cli?aud=2f07f99436fc1049d833c3c40626b9ff<redacted>&edge_token_transfer=true&redirect_url=https%3A%2F%2Fgitlab.myhost.es%3Faud%3D2f07f99436fc1049d833c3c40626b9<redacted>%26token%3DmSdi6fRtlULLjeSIU<redacted>&send_org_token=true&token=mSdi6fRtlULLjeSIUqDC61<redacted>

If the browser failed to open, please visit the URL above directly in your browser.
A browser window should have opened at the following URL:

https://gitlab.myhost.es/cdn-cgi/access/cli?aud=2f07f99436fc1049d833c3c40626b9ff29cb2<redacted>&edge_token_transfer=true&redirect_url=https%3A%2F%2Fgitlab.myhost.es%3Faud%3D2f07f99436fc1049d833c3c40626b9f<redacted>%26token%3DbaO_u_3uakF_C-AN<redacted>&send_org_token=true&token=baO_u_3uakF_C-AN8ie<redacted>

If the browser failed to open, please visit the URL above directly in your browser.
2023-06-26T13:56:03Z ERR Could not verify token error="failed to verify token"
failed to verify token

[notdodo]

same here. I'm not able to get use a valid access token from cloudflared access login command since the command will ask the approve 2 times and then fail with the error Could not verify token error="failed to verify token". The token actually is generated and saved in the ~/.cloudflared folder but it's unusable because when calling the actual endpoint with curl -H 'cf-access-token: <JWT>' I get a 302 to the login page. Everything works from the browser and if I copy/paste the cookies from the browser flow on the curl command I get access to the app.

[foo-1a]

same as @notdodo here. I would add as context that the application policy in our case is set to ALLOW, include login method Okta, require okta group membership. we are correctly logging in via Okta and are in the correct group, as observed by being able to access the application from the browser - but no luck with the token from cli.

[foo-1a]

solved for us - turns out the "require binding cookie" setting is what prevents tokens to be used via CLI. turning it off for the app starts working.