[Access] Fix OpenCode casing and use long-form --header flag#29711
[Access] Fix OpenCode casing and use long-form --header flag#29711caley-b wants to merge 1 commit intoproductionfrom
Conversation
|
This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:
|
|
Preview URL: https://09b7b336.preview.developers.cloudflare.com Files with changes (up to 15) |
| - [**Service tokens**](#use-service-tokens) — authenticates with a static credential pair. Use for headless or automated workflows where no browser is available. | ||
|
|
||
| :::note | ||
| Cloudflare Access also supports Managed OAuth to protected resources, which you can use to grant authorization to coding agents. |
There was a problem hiding this comment.
Do we have a docs page for this yet? If so, we should link it.
| With `cloudflared`, your agent authenticates under your user identity. On first use, `cloudflared` opens a browser window for an interactive login. After that, the session persists for the [session duration](/cloudflare-one/access-controls/access-settings/session-management/) configured for the application. After the session expires, the next request requires a new browser login. | ||
|
|
||
| :::caution | ||
| `cloudflared` authentication relies on WebSockets, which may close unexpectedly during long-running sessions. If your agent requires persistent, unattended access, [service tokens](#use-service-tokens) are more reliable. |
There was a problem hiding this comment.
This line doesn't really make sense. The websockets bit doesn't have much to do with the login. I would remove this whole caution block.
|
|
||
| - The response is a 302 redirect to a URL containing `cloudflareaccess.com` | ||
| - The response is a 403 with a `Cf-Access-Error` header | ||
| - The response includes a `WWW-Authenticate: Bearer` challenge header referencing a Cloudflare Access policy |
There was a problem hiding this comment.
We return something that looks like this. It doesn't really reference a cloudflare access policy.
www-authenticate: Cloudflare-Access resource_metadata="https://test.almightyzero.com/.well-known/cloudflare-access-protected-resource/headers"
| A resource is protected by Cloudflare Access if any of the following are true: | ||
|
|
||
| - The response is a 302 redirect to a URL containing `cloudflareaccess.com` | ||
| - The response is a 403 with a `Cf-Access-Error` header |
There was a problem hiding this comment.
I don't think that cf-access-error is a thing.
| Some agents make HTTP requests using their own client libraries instead of calling `cloudflared` directly. In this case, fetch a reusable token and pass it as a header: | ||
|
|
||
| ```bash | ||
| CF_TOKEN=$(cloudflared access token -app=https://example.com) |
There was a problem hiding this comment.
For both this and the skill file below I wouldn't refer to it like this. This is basically what cloudflared access curl does.
If you want to embed it in your program you should have it shell out to cloudflared access login <hostname> and get the token that way and include it as cf-access-token. I would reference it as curl.
|
|
||
| ## Configure your agent | ||
|
|
||
| Coding agents read project-level instruction files (commonly named `AGENTS.md`) to learn how to interact with tools and services in your development environment. Add the following snippet to your `AGENTS.md` file or agent skill configuration so that the agent can detect and authenticate to Access-protected resources: |
There was a problem hiding this comment.
I'm gonna send a doc that kyle just made internally for this.
3 participants
Adds the
authenticate-agentspage for coding agents behind Cloudflare Access. Pertains to PCX-21534.