Cloudflare Access provider

[svict4]

Description 📓

I'm wanting to have Cloudflare Access sitting in front of our website.
We current use NextAuth with AuzreAD, but now want Cloudflare Access deal with AD for us.

My understanding that to get it working, we'd need a new Provider modeled off the Credentials provider?
There is already some prior art.

How to reproduce ☕️

NA, think it's self explanatory?

Contributing 🙌🏽

Yes, I am willing to help implement this feature in a PR

Happy to pitch in (or donate if someone can implement it quick), just need guidance :)

[tdack]

I've had a go at this using the Credentials provider and have it sort of working with SvelteKit.

$lib/server/@auth/providers/cloudflareaccess.js

import Credentials from "@auth/core/providers/credentials"
import { jwtVerify, createRemoteJWKSet } from 'jose'

export default function CloudflareAccess(event) {

    const getIdentity = async (host, auth) =>
        await fetch(`https://${host}/cdn-cgi/access/get-identity`, {
            headers: {
                Cookie: `CF_Authorization=${auth}`,
            },
        }).then((data) => data.json());

    async function isValidJwt(host, token) {

        const JWKS = createRemoteJWKSet(new URL("https://${host}/cdn-cgi/access/certs"))

        const { payload, protectedHeader } = await jwtVerify(token, JWKS, {
            audience: event.platform?.env.ACCESS_AUD,
        })
        return (payload && protectedHeader)
    }

    return Credentials({
        id: "cloudflare",
        name: "Cloudflare Access",
        credentials: {},
        async authorize(_, request) {
            const { cookies } = event;
            const auth = cookies.get('CF_Authorization')
            if (!auth) {
                console.log('CF_Authorization header not found!')
                throw Error('CF_Authorization header not found')
            }
            const access = await isValidJwt(event.url.host, auth)
            if (!access) {
                console.log('Invalid JWT')
                throw Error('Invalid JWT')
            }
            const identity = await getIdentity(event.url.host, auth);
            const user = (({ id, name, email, }) => ({ id, name, email }))(identity)
            console.log('cloudflare - user', user)
            if (!user) return null
            return user
        }
    })
}

You'll also need Jose in package.json to validate the Cloudflare JWT

Add this as a provider in hooks.server.js

import { sequence } from '@sveltejs/kit/hooks';
import { SvelteKitAuth } from '@auth/sveltekit'
import CloudflareAccess from '$lib/server/@auth/providers/cloudflareaccess'
const CFAccess = (/** @type {import("@sveltejs/kit").RequestEvent<Partial<Record<string, string>>, string | null>} */ event) => {
	return CloudflareAccess(event)
}

export const handle = sequence(
	SvelteKitAuth(async (event) => {
		const authOptions = {
			providers: [ CFAccess(event) ],
			// other AuthJS options
		};
		return authOptions;
	})
)

Set a protected route in the Cloudflare Access dashboard. I used https://mydomain/auth/callback/cloudflareaccess and also another one at https://mydomain/api

If you go to the AuthJS signing page and pick Cloudflare Access you should be redirected through the Cloudflare Access login flow and pick you configured provider, eventually you'll be redirected back to /auth/callback/cloudflareaccess and get an error, heading back to a route not protected by Cloudflare Access should have you logged in via AuthJS.

What doesn't work is setting the AuthJS/NextJS session cookies and JWT. I think this is because the Credential provider with credentials: {} doesn't have a callback to process the login. I haven't been able to work out how to get the last part.

[simon-v-swyftx]

Just discovered someone giving it a red hot go: https://github.com/seiry/next-cloudflare-zerotrust-jwt-auth-middleware/blob/main/src/edge.ts