Skip to content

SYSTEM Cited by 3 sources

Cloudflare Access

Overview

Cloudflare Access is Cloudflare's identity-aware application-proxy product — sits in front of applications (self-hosted or SaaS) and enforces identity + device + network policy via OIDC / SAML / one-time PIN flows before forwarding authenticated requests to origin. Part of the broader Cloudflare One / Zero Trust suite.

Closely related to / a rebrand of the earlier Zero Trust Access capability surfaced elsewhere in the wiki.

Managed OAuth support for agents (Agents Week 2026)

Cloudflare announced during Agents Week 2026 (see managed OAuth for Access) that Access fully supports RFC 9728 OAuth Protected Resource Metadata. Concretely:

  • Access-protected applications now advertise their authorization-server discovery metadata at the RFC 9728-mandated well-known path.
  • When an agent receives a protected URL and gets 401, it can fetch the metadata, find the authorization-server URL, drive the human user through a scoped OAuth consent flow, and come out the other side with a per-agent token the Access origin accepts.
  • The named demo scenario in the 2026-04-17 post has OpenCode receiving an Access-protected URL from a user, sending the user through Access's OAuth consent, and succeeding on subsequent authenticated calls — no session reuse, no token pasting, no ambient browser authority.

Why this matters for agent workloads

Pre-RFC-9728, the prevailing workaround for agents needing authenticated access was to let the agent pilot the user's browser session. This is the "use the logged-in browser" posture: agents effectively impersonate the human everywhere with no per-agent consent, no scope limitation, and no audit trail specific to the agent. Unsafe at scale.

Access + RFC 9728 enables per-agent OAuth scoping — per-resource tokens, per-scope grants, revocable at any time, auditable per-agent in Access logs. The agent-ergonomic authentication primitive the industry was missing.

Relationship to Agent Readiness Score

Agent Readiness Score checks for RFC 9728 OAuth metadata presence (described under the non-scoring OAuth check in the 2026-04-17 post). Access supplies the metadata automatically for Access-protected sites — so a Cloudflare-protected origin is agent-ready on the auth axis without origin-side work.

Require Access Protection (frontier-model defence context)

Cloudflare Access is the zero-trust layer in the frontier-model defence architecture. The implicit trust of "being inside the network" is replaced with explicit per-request identity and policy for every employee accessing every tool.

Require Access Protection ensures newly deployed or misconfigured applications can't be reachable before an access policy is in place. Built after an engineer shipped a misconfigured tool — in Cloudflare's deployment the exposure stopped at the tool itself (no lateral movement across a flat network). Implements patterns/require-access-before-reachability.

IdP Federation makes the secure-by-default posture consistent: IdP is configured once and shared across the organisation. New accounts get SSO automatically; recipient-side IdP connections are read-only.

(Source: sources/2026-06-09-cloudflare-defend-against-frontier-cyber-models)

Seen in

Last updated · 542 distilled / 1,571 read