Cloudflare Access with GitHub (OIDC)
Cloudflare Access with GitHub (OIDC)
Section titled “Cloudflare Access with GitHub (OIDC)”Protect your dev tunnel https://tunnel.wenzelarifiandi.com with GitHub sign‑in and phishing‑resistant MFA.
Prerequisites
Section titled “Prerequisites”- Cloudflare Zero Trust account for
wenzelarifiandi.com cloudflaredinstalled locally (brew install cloudflared)- Named tunnel configured (already set up by scripts): hostname
tunnel.wenzelarifiandi.com→127.0.0.1:4321 - Your GitHub account (or org/team) to allow
Step 1 — Add GitHub as an IdP in Cloudflare Zero Trust
Section titled “Step 1 — Add GitHub as an IdP in Cloudflare Zero Trust”- Go to Cloudflare Dashboard → Zero Trust → Settings → Authentication → Login methods.
- Click “Add new” → choose “GitHub”.
- Keep defaults (OIDC) and authorize Cloudflare with your GitHub.
- Save. Ensure GitHub appears as an enabled login method.
Tip: You can add multiple IdPs later (e.g., Google) without changing app code.
Step 2 — Create an Access application for the tunnel
Section titled “Step 2 — Create an Access application for the tunnel”- Zero Trust → Access → Applications → Add an application.
- Choose “Self‑hosted”.
- Application name:
ariane-dev-tunnel - Domain:
tunnel.wenzelarifiandi.com - Session duration: 12 hours (adjust later if needed)
- Identity providers: Select “GitHub” (and any others you added)
- Save and create policy when prompted.
Step 3 — Create a strict policy
Section titled “Step 3 — Create a strict policy”- Policy name:
allow-github-wenzel - Action: Allow
- Include:
- Emails → add your GitHub email (or)
- GitHub Organization/Team → select your org/team if applicable
- Require:
- Authentication Method → Hardware security key (FIDO2/WebAuthn)
- (Optional) Country → only your country when traveling
- (Optional) Device posture → if you use WARP and posture checks
- Exclude: None (keep strict)
- Session duration: 12h; Idle timeout: 1–2h
Create a second disabled “Break‑glass” rule (optional):
- Action: Allow
- Include: your email
- Require: One‑time PIN
- Keep it disabled and enable only if you lose your security key.
Step 4 — Run dev and tunnel locally
Section titled “Step 4 — Run dev and tunnel locally”- Start the Astro dev server with Cloudflare‑aware HMR:
Terminal window npm --prefix site run dev:cf - In another terminal, run the named tunnel:
Terminal window npm --prefix site run cf:tunnel:named - Or run both together:
Terminal window npm --prefix site run dev:bubble:cf:named
Visit https://tunnel.wenzelarifiandi.com. You should see the Cloudflare Access prompt and then the GitHub login. After approval, your dev site should load and HMR work over the tunnel.
Troubleshooting
Section titled “Troubleshooting”- 502 Bad Gateway: Ensure the local dev server is running on
http://127.0.0.1:4321before starting the tunnel (scripts already wait). Checksite/astro.config.mjssetsserver.hostto127.0.0.1and port4321. - Host not allowed (Vite): In dev we set
vite.server.allowedHosts = "all"to permit the tunnel host. - HMR not connecting: Use
npm run dev:cfso HMR useswss://tunnel.wenzelarifiandi.com. - Access prompt doesn’t appear: Confirm the Access application is created for the exact hostname and that GitHub is enabled as a login method.
Security notes
Section titled “Security notes”- Enforce hardware security keys via Cloudflare Access policies; application authentication now relies on Access + ZITADEL upstream.
- Keep One‑time PIN disabled except for a break‑glass rule.
- You can later switch or add IdPs (Azure AD/Okta) without changing this repo—only Access settings.
FAQ — Do I need to register a GitHub OAuth app?
Section titled “FAQ — Do I need to register a GitHub OAuth app?”Short answer: Not for Cloudflare Access. When you add GitHub under Zero Trust → Authentication → Login methods, Cloudflare acts as the OAuth client. You don’t need your own GitHub OAuth app to use Access.
When you might register your own GitHub OAuth app:
- If your application itself needs to call GitHub APIs on behalf of a user or sign users in directly with GitHub (outside of Cloudflare Access).
If you do create a GitHub OAuth app (GitHub → Settings → Developer settings → OAuth Apps → New OAuth App):
- Application name:
Ariane(orAriane Dev) - Homepage URL:
https://wenzelarifiandi.com(or your project site) - Application description: concise purpose, e.g.,
Local dev access and integrations for Ariane - Authorization callback URL: depends on your flow
- For Cloudflare Access: not required (Access handles callbacks)
- For your own app OAuth: set to your app’s callback endpoint, e.g.
https://tunnel.wenzelarifiandi.com/api/oauth/github/callback(or your production domain)
- Enable Device Flow: optional. Useful for CLIs/devices without browsers; otherwise leave off.
Important: If you only need perimeter protection for your dev site, stick with Cloudflare Access + GitHub login methods—no extra GitHub OAuth app needed.
Where to get Client ID/Secret and where to put them
Section titled “Where to get Client ID/Secret and where to put them”If you created a GitHub OAuth app (for app-level login/integrations):
- Get credentials from GitHub
- GitHub → Settings → Developer settings → OAuth Apps → select your app.
- Copy “Client ID” and generate a new “Client Secret”.
- Put them in your local
.env(never commit secrets)
- Edit
site/.env(copy fromsite/.env.exampleif missing):GITHUB_OAUTH_CLIENT_ID=...GITHUB_OAUTH_CLIENT_SECRET=...GITHUB_OAUTH_CALLBACK_URL=https://tunnel.wenzelarifiandi.com/api/oauth/github/callback
- Put production values in Vercel Project Settings (Site)
- Vercel → Project (site) → Settings → Environment Variables
- Add the same keys with production callback URL:
GITHUB_OAUTH_CLIENT_IDGITHUB_OAUTH_CLIENT_SECRETGITHUB_OAUTH_CALLBACK_URL=https://wenzelarifiandi.com/api/oauth/github/callback
- Add the same keys with production callback URL:
- Redeploy to apply.
Tip: rotate secrets if exposed; you can generate a new GitHub Client Secret any time and update env vars.