Allow cloudflare service tokens to be allowed list through epoxy#19
Open
Allow cloudflare service tokens to be allowed list through epoxy#19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Basis for this PR is that we want to fetch info from Cussos admin endpoints like users and organizations to allow easier setup in MFN/Slog.
Cussos admin web is behind Cloudflare Zero Trust.
Cloudflare has service tokens that serve this purpose quite well.
However, Cussos admin also has epoxy, which will block these when doing the external lookup to our directory.
So we need to bypass this directory lookup for service tokens.
An alternative is exposing endpoints with a non epoxy middleware in Cussos and then doing the standard pub/priv key exchange between services. However I thought this could be a neat alternative that can be used for other zero auth flows aswell without having to setup new keypairs?