App connectors · App connectors
Cloudflare Access — Thoryn as a generic OIDC IdP
Cloudflare Access protects internal apps with identity-aware proxies. Thoryn as the IdP gates access to anything Cloudflare fronts.
- cloudflare
- oidc
- infra
Tested against:hub: 1.0.0cloudflare: Access 2026
What you get
Cloudflare Access uses Thoryn as the OIDC IdP. Any internal app behind Access — admin tools, staging environments, partner portals — authenticates through Hub before the request reaches the origin.
Setup
1. In Thoryn
hub clients create \
--name "Cloudflare Access" \
--redirect-uri "https://YOUR-TEAM.cloudflareaccess.com/cdn-cgi/access/callback" \
--grant-types authorization_code,refresh_token \
--scopes "openid email profile groups"2. In Cloudflare Zero Trust
Zero Trust → Settings → Authentication → Login methods → Add → Generic OIDC. Configure:
| Field | Value |
|---|---|
| Name | Thoryn |
| App ID (Client ID) | (from step 1) |
| Client Secret | (from step 1) |
| Auth URL | https://hub.thoryn.org/oauth2/authorize |
| Token URL | https://hub.thoryn.org/oauth2/token |
| Certificate URL (JWKS) | https://hub.thoryn.org/.well-known/jwks.json |
| OIDC Claims | email, groups |
3. Build access policies
In Zero Trust → Access → Applications, create a policy that requires Thoryn login + a specific group claim:
Selector: identity_provider == "Thoryn" AND groups contains "admin"
Caveats
- Cloudflare Access pricing: free tier covers up to 50 users; beyond that needs a paid plan.
- Group claim format: Cloudflare expects
groupsas an array of strings. Make sure Hub serialises group memberships consistently.