Assumptions:
Name: Cloudflare
Authorization flow: default-provider-authorization-implicit-consent
Client type: Confidential
Client ID: copy and save
Client Secret: copy and save
Redirect URI/s: https://YOURTEAM.cloudflareaccess.com/cdn-cgi/access/callback
Signing Key: authentic Self-signed Certificate
Save.
IMPORTANT: If you don’t choose the signing key you’d likely get an error “Failed to fetch user/group information from the identity provider”
Name: Cloudflare
Slug: cloudflare
Provider: Cloudflare
Policy engine mode: ANY
Save.
Settings > Authentication
Add new
Name: Authentik
App ID: paste Client ID saved earlier
Client secret: paste Client secret earlier
Auth URL: https://auth.example.com/application/o/authorize/
Token URL: https://auth.example.com/application/o/token/
Certificate URL: https://auth.example.com/application/o/cloudflare/jwks/ (the cloudflare part of the URL is the slug defined in the previous step! Update accordingly.)
Save
Test: it should quickly connect to Authentik and say “Your connection works!”
Go to Access > Applications
Add an application
Self-hosted
Enter an application name: myapp
Session duration: 24 hours
Application domain: specify the address of your currently exposed service (found in Access > Tunnels > )
Identity providers: untick “accept all available identity providers” and select only “OpenID Connect Authentik”
Tick “Skip identity provider selection if only one is configured”
Next
Policy name: allow
Action: allow
Session duration: same as application
Selector: Everyone
Next
Add
Go to your website. You will be redirect to Authentik to something like https://auth.example.com/if/flow/default-authentication-flow/...
If not already authenticated in Authentik, do so.
You can now see your website. Your website is now secure!