Cloudflare Zero Trust OIDC with ZITADEL - Zitadel

import CreateApp from "../application/_application.mdx";

This guide shows how to configure ZITADEL as OpenID Connect identity provider for Cloudflare Zero Trust.

Prerequisites:

Existing ZITADEL instance, organization, and project. Follow our get started guide to get started. If not present follow this guide
Existing Cloudflare account and team domain

Create the application in ZITADEL

<CreateApp components={props.components} appType="web" authType="code" appName="Cloudflare" redirectURI="https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback"/>

Send user info in tokens

Make sure to enable "User Info inside ID Token" on your application settings.

<Callout> Cloudflare will return an error "User email was not returned. API permissions are likely incorrect". Enable to send the user information inside the token on your application settings. </Callout>

Configure Cloudflare Zero Trust Authentication

On the Cloudflare dashboard go to Zero Trust, click settings, and then select "Authentication"
Add a new login method with the type "OpenID Connect"
Fill in the required information. Check the discovery endpoint of your instance https://${CUSTOM_DOMAIN}/.well-known/openid-configuration for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
Disable PKCE (Cloudflare requires a client secret for PKCE, which is currently not supported)
Add the following claims: "openid", "profile", "email"
Test the connection

Example settings

json

{
  "config": {
    "client_id": "<your client id>",
    "client_secret": "<your client secret>",
    "auth_url": "https://${CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/authorize",
    "token_url": "https://${CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/token",
    "certs_url": "https://${CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/keys",
    "scopes": ["openid", "email", "profile"],
    "pkce_enabled": false,
  },
  "type": "oidc",
  "name": "Generic Google"
}