Skip to main content

Keycloak and Cloudflare Zero Trust Setup

Tested with Keycloak 16.1.1. This has not been tested with the Quarkus versions!

This covers how to use Keycloak as a generic OIDC provider with Cloudflare Zero Trust to authenticate connections.

Required Information and Access

  • Access to the Keycloak admin console
  • Access to Cloudflare Zero Trust for your team
  • A Realm created in Keycloak already
  • The name of your Cloudflare team

Fake data used in this example:

  • Keycloak URL: https://keycloak-instance
  • Keycloak Client ID: cloudflare
  • Keycloak Realm: test-realm
  • Cloudflare team name: test-team

Configure Keycloak

  1. Select the realm you want to use
  2. Navigate to Clients, then click Create
  • Enter a unique client ID (such as cloudflare).
  • Ensure Client Protocol is set to openid-connect
  • Leave Root URL blank
  • Click Save
  1. Enter the settings of the newly-created client.
  • Change Access Type to confidential
  • Add a valid redirect URI. This is based on your Cloudflare team name and is provided when setting up an OIDC authentication provider. At the time of writing, it follows the format of https://<team-name>.cloudflareaccess.com/cdn-cgi/access/callback
  • Click Save
  1. Click the Credentials tab
  • Ensure the client authenticator is set to Client Id and Secret
  • Copy the client secret

Configure Cloudflare Zero Trust

This section requires information about your current OIDC configuration. Keycloak provides a .well-known link with all of the information located at https://keycloak-instance/auth/realms/test-realm/.well-known/openid-configuration.

You will need three URLs from here. The below list defines them based on their name in Cloudflare; the coded values are the identifiers in the .well-known URL.

  • The Auth URL (authorization_endpoint)
  • The Token URL (token_endpoint)
  • The Certificate URL (jwks_uri)
  1. Log into your Cloudflare Dashboard. Click Zero Trust.
  2. Navigate to Settings, then Authentication. Click Add New, then click OpenID Connect.
  3. Enter the following information:
  • Name: whatever you want
  • App ID: your Keycloak client ID, i.e. cloudflare
  • Client secret: the above copied client secret from Keycloak
  • The Auth URL, Token URL, and Certificate URLs from the .well-known configuration above
  1. Add whatever optional claims you want Cloudflare to pass along to authenticated applications.