PHPackages calips-labs/craft-cloudflare-access - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. calips-labs/craft-cloudflare-access ActiveCraft-plugin[Authentication & Authorization](/categories/authentication) calips-labs/craft-cloudflare-access =================================== Cloudflare Access integration for Craft CMS. 1.1.0(1y ago)14.6kproprietaryPHPPHP >=8.0.2 Since Jan 2Pushed 1y ago1 watchersCompare [ Source](https://github.com/calips-labs/craft-cloudflare-access)[ Packagist](https://packagist.org/packages/calips-labs/craft-cloudflare-access)[ RSS](/packages/calips-labs-craft-cloudflare-access/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (6)Dependencies (5)Versions (7)Used By (0) Cloudflare Access ================= [](#cloudflare-access) Cloudflare Access integration for Craft CMS. This plugin makes it very easy to integrate [Cloudflare Access](https://www.cloudflare.com/products/zero-trust/access/)with Craft CMS. Cloudflare Access is a modern, zero trust solution to protect applications or websites. You can use it to protect the control panel of a Craft website, or even the complete website. This plugin adds automatic logging in to either the control panel, the frontend or both using the identity provided by Cloudflare. Cloudflare Access makes it easy to integrate various identity providers, like Okta, Microsoft Azure AD, Google Workspace or social media accounts like Facebook, GitHub or Google accounts. Cloudflare Access is free up to 50 users. It requires your sites traffic to be proxied through Cloudflare. How does this work? ------------------- [](#how-does-this-work) Each application protected by Cloudflare access is protected by a Cloudflare login page. This can be set for a full domain or a part of it (e.g. only `/admin/`). Cloudflare injects a [JWT](https://jwt.io/) header which contains a signature, expiry information, and the user's identity. This plugin decodes the JWT, attempts to find a matching user in Craft CMS, and automatically signs in that user when the user is not suspended or deactivated. This way you enable single sign-on for your users, which reduces friction, relieves them from saving another password, and you increase security when you rely on 2FA from external identity providers. You may choose to enable this feature for control panel URLs, frontend URLs, or both. This plugin does not create new users if they do not exist in Craft. Limitations ----------- [](#limitations) This plugin has currently the following limitations: - Logging out from the control panel does not log a user out from Cloudflare Access, effectively logging them in again immediately. - Users must exist in Craft CMS. They are not created automatically. - A user will still needs his password for elevated access in the control panel. This is a Craft CMS limitation. - Users which are not logged in automatically, will see the normal login screen. They can login using any account. Requirements ------------ [](#requirements) This plugin requires Craft CMS 4.3.5 or later, and PHP 8.0.2 or later. It also requires a Cloudflare Access application to be configured. See below for configuration instructions. Installation ------------ [](#installation) You can install this plugin from the Plugin Store or with Composer. #### From the Plugin Store [](#from-the-plugin-store) Go to the Plugin Store in your project’s Control Panel and search for “Cloudflare Access”. Then press “Install”. #### With Composer [](#with-composer) Open your terminal and run the following commands: ``` # go to the project directory cd /path/to/my-project.test # tell Composer to load the plugin composer require calips-labs/craft-cloudflare-access # tell Craft to install the plugin ./craft plugin/install cloudflare-access ``` Configuring Cloudflare Access ----------------------------- [](#configuring-cloudflare-access) 1. Go to the [Cloudflare Zero Trust dashboard](https://one.dash.cloudflare.com/). 2. Go to Access → Applications and click *Add an application*. 3. Pick *Self-hosted*. 4. Enter a name and set the domain, subdomain and optionally the path. If you want to protect the control panel only, enter `/admin/`. 5. Application appearance is only relevant for Cloudflare's app launcher. 6. Select which identity providers you accept. The default is to enable all identity providers. For testing, *One-time PIN* could be useful (you enter an e-mail address and then have to enter the PIN code sent to it). 7. Click *Next*. 8. You'll now have to create a policy. Enter a name and configure rules below. For testing, you might select *Everyone*which would allow everyone to log in. Better rules might check for the domain part of an e-mail address, or Azure Group ID's. 9. Click *Next*. 10. The CORS settings, Cookie settings and additional settings can be left unchanged. Click *Add application*. 11. In the applications overview, a new application is added. Click *Edit*. 12. Click *Overview*. Copy the *Application Audiance (AUD) Tag*. 13. Install the Cloudflare Access plugin to Craft, enable it and go to the plugin settings. 14. Enter the AUD tag. 15. You'll also have to enter the Team Domain. You can find this in the Cloudflare control panel under *Settings* → General. Copy the team domain including the last part containing `.cloudflareaccess.com`. 16. In the plugin settings, enable auto login for either the control panel and/or frontend. 17. Verify that your token is working as expected in Craft through Utilities → Cloudflare Access. It should show your Cloudflare login. **Note:**You can logout from Cloudflare Access using the following URL: `https://.cloudflareaccess.com/cdn-cgi/access/logout` This can be useful during testing. ### Health Score 32 — LowBetter than 71% of packages Maintenance32 Infrequent updates — may be unmaintained Popularity20 Limited adoption so far Community7 Small or concentrated contributor base Maturity55 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~100 days Recently: every ~125 days Total 6 Last Release 720d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/fd7a17d6d76f3ded0d4e8903f506c325bf44da3e34e91ac99550365271e24804?d=identicon)[geertw](/maintainers/geertw) --- Top Contributors [![geertw](https://avatars.githubusercontent.com/u/683915?v=4)](https://github.com/geertw "geertw (39 commits)") --- Tags craftcmscraftcms-plugin ### Embed Badge ![Health badge](/badges/calips-labs-craft-cloudflare-access/health.svg) ``` [![Health](https://phpackages.com/badges/calips-labs-craft-cloudflare-access/health.svg)](https://phpackages.com/packages/calips-labs-craft-cloudflare-access) ``` ### Alternatives [tymon/jwt-auth JSON Web Token Authentication for Laravel and Lumen 11.5k49.1M344](/packages/tymon-jwt-auth)[php-open-source-saver/jwt-auth JSON Web Token Authentication for Laravel and Lumen 8359.8M52](/packages/php-open-source-saver-jwt-auth)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[patrickbussmann/oauth2-apple Sign in with Apple OAuth 2.0 Client Provider for The PHP League OAuth2-Client 1132.5M6](/packages/patrickbussmann-oauth2-apple)[vonage/jwt A standalone package for creating JWTs for Vonage APIs 424.1M4](/packages/vonage-jwt)[scheb/2fa-trusted-device Extends scheb/2fa-bundle with trusted devices support 355.1M16](/packages/scheb-2fa-trusted-device) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)