Generic OIDC
Cloudflare Access has a generic OpenID Connect (OIDC) connector to help you integrate IdPs not already set in Access.
Set up a generic OIDC
Visit your identity provider and create a client/app.
When creating a client/app, your IdP may request an authorized redirect URI. Enter your team domain followed by this callback at the end of the path:
/cdn-cgi/access/callback
. For example:https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callbackCopy the content of these fields:
- Client ID
- Client secret
- Auth URL: The
authorization_endpoint
URL of your IdP - Token URL: The
token_endpoint
URL of your IdP - Certificate URL: The
jwks_uri
endpoint of your IdP to allow the IdP keys to sign the tokens
You can find these values on your identity provider’s OIDC discovery endpoint. Some providers call this the “well-known URL”.
In Zero Trust, navigate to Settings > Authentication.
Under Login methods, click Add new.
Choose OpenID Connect..
Name your identity provider and fill in the required fields with the information obtained in Step 3.
(Optional) Enable Proof of Key Exchange (PKCE) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
(Optional) Under Optional configurations, enter custom OIDC claims that you wish to add to your Access application token.
Click Save.
To test that your connection is working, navigate to Authentication > Login methods and click Test next to the login method you want to test. On success, a confirmation screen displays.
Example API Configuration
{ "config": { "client_id": "<your client id>", "client_secret": "<your client secret>", "auth_url": "https://accounts.google.com/o/oauth2/auth", "token_url": "https://accounts.google.com/o/oauth2/token", "certs_url": "https://www.googleapis.com/oauth2/v3/certs", "scopes": ["openid", "email", "profile"] }, "type": "oidc", "name": "Generic Google"
}