Cloudflare Access OAuth2 Configuration

If you encounter issues logging in as an administrator using Github, Gitlab, or Gitee, you may consider switching to Cloudflare Access as the OAuth2 provider.

Example Configuration:

yaml

Oauth2:
  Admin: 701b9ea6-9f56-48cd-af3e-cbb4bfc1475c
  ClientID: 3516291f53eca9b4901a01337e41be7dc52f565c8657d08a3fddb2178d13c5bf
  ClientSecret: 0568b67c7b6d0ed51c663e2fe935683007c28f947a27b7bd47a5ad3d8b56fb67
  Endpoint: "https://xxxxx.cloudflareaccess.com"
  Type: cloudflare

Configuration Description:

Parameter	Retrieval Method
Admin	`My Team` -> `Users` -> `<specific user>` -> `User ID`
ClientID/ClientSecret	`Access` -> `Application` -> `Add an Application` -> `SaaS` -> `OIDC`
Endpoint	`Access` -> `Application` -> `Application URL` -> `Only keep the protocol and domain, no path`

Setting Up a New SaaS-OIDC Application

Navigate to the Zero Trust Dashboard: https://one.dash.cloudflare.com/. Choose or create a new account, then follow these steps:

Go to My Team -> Users -> Click <specific user> -> Obtain and save the User ID. (If this is your first time using Zero Trust, the Users list will be empty, and you can skip this step; users will appear after completing a verification.)
Navigate to Access -> Applications -> Add an Application.
Select SaaS. In the Application field, enter a custom application name (e.g., nezha), select OIDC, and then click Add application.
For Scopes, select openid, email, profile, groups.
In Redirect URLs, enter your Dashboard Callback URL, such as https://dashboard.example.com/oauth2/callback.
Record the Client ID, Client Secret, and the protocol and domain part of the Issuer address, for example, https://xxxxx.cloudflareaccess.com.
Edit the Dashboard configuration file (usually located at /opt/nezha/dashboard/data/config.yaml), adjust the OAuth2 settings according to the example configuration, and restart the Dashboard service.

Identity Verification Strategy Configuration

After setting up the Dashboard, you need to configure identity verification policies in the Zero Trust Dashboard. Navigate to: Access -> Applications -> <application name> -> Policies. You can choose from various SSO authentication methods, including email OTP and hardware key verification. For detailed configurations, refer to the Cloudflare Zero Trust Documentation.

Policy Configuration Example (One-time PIN)

Using email OTP as the default verification method:

Navigate to Access -> Applications -> <application name> -> Policies -> Add a policy.
Set a Policy Name, for example, OTP, and set Action to Allow.
Under Configure rules, add a new Include rule. Select Emails as the Selector and enter your email address in the textbox.
Click Save policy to save the configuration.

Testing the Policy

If the configuration is correct, when you visit the Dashboard login interface, it will display as "Log in with Cloudflare Account." Clicking on login will redirect you to the Cloudflare Access login page.
Enter the email address configured previously, click Send me a code, and then enter the code received to log in to the Dashboard.
If User ID was not specified in Admin during previous steps, an error message will be displayed after login: "This user is not an administrator of this site and cannot log in." At this point, you need to go to My Team -> Users, find the corresponding user, click on the username to get the User ID, and enter it into the Admin section of the Dashboard configuration file. After restarting the Dashboard service, try logging in again.

Cloudflare Access OAuth2 Configuration ​

Example Configuration: ​

Configuration Description: ​

Setting Up a New SaaS-OIDC Application ​

Identity Verification Strategy Configuration ​

Policy Configuration Example (One-time PIN) ​

Testing the Policy ​