Authentication
Setup and configure authentication for Pixelflare CDN deployments, using a provider of your choice.
Pixelflare supports the following authentication methods:
- Cloudflare Zero Trust - Cloudflare's built-in enterprise identity + access management
- OAuth - Direct OAuth integration using Auth.js
- No Authentication - Disable authentication entirely
- Mock Authentication - For local development only
Supported Identity Providers
| Provider | OAuth | Cloudflare Zero |
|---|---|---|
| Apple | ✅ | ❌ |
| Atlassian | ✅ | ❌ |
| Auth0 | ✅ | *️⃣ |
| Authentik | ✅ | *️⃣ |
| Azure Active Directory (incl. B2C) | ✅ | ✅ |
| Amazon Cognito | ✅ | *️⃣ |
| Discord | ✅ | ❌ |
| ✅ | ✅ | |
| GitHub | ✅ | ✅ |
| GitLab | ✅ | *️⃣ |
| ✅ | ✅ | |
| ✅ | ❌ | |
| Keycloak | ✅ | *️⃣ |
| ✅ | ✅ | |
| Okta | ✅ | ✅ |
| OneLogin | ✅ | ✅ |
| Patreon | ✅ | ❌ |
| PingOne / Ping Identity | ❌ | ✅ |
| ✅ | ❌ | |
| Salesforce | ❌ | *️⃣ |
| Slack | ✅ | ❌ |
| Twitter (v2 OAuth) | ✅ | ❌ |
| Yandex | ✅ | ✅ |
| Zoom | ✅ | *️⃣ |
Legend: ✅ Supported | ❌ Not Supported | *️⃣ Supported Indirectly
Note:
- GitLab, Salesforce, Zoom, Keycloak, Authentik, WorkOS and BoxyHQ SAML are supports on indirectly Cloudflare via SAML
- Auth0, Amazon Cognito, Keycloak, Authentik, WorkOS as well as other providers are supported on Cloudflare via OIDC
- Some auth providers are untested, and may/probably will require additional configuration, within the app and Cloudflare
Auth Flow
mermaid
flowchart TB
Start([Authentication Request]) --> Mode{AUTH_MODE}
Mode -->|cloudflare| CFA[Cloudflare Access<br/>Zero Trust]
Mode -->|authjs| AJS[Auth.js<br/>Self-hosted OAuth]
Mode -->|none| MOCK[Mock Auth<br/>Development Only]
subgraph "Cloudflare Access Flow"
CFA --> CFCheck[Check CF_Authorization Cookie]
CFCheck --> CFVerify[Verify JWT with<br/>Cloudflare JWKS]
CFVerify --> CFHash[Hash 'sub' claim<br/>to create owner ID]
CFHash --> CFUser[Load User from D1<br/>by cf_sub]
CFUser --> CFCreate{User Exists?}
CFCreate -->|No| CFNew[Create New User Record]
CFCreate -->|Yes| CFReturn[Return User Session]
CFNew --> CFReturn
end
subgraph "Auth.js Flow"
AJS --> AJSCheck[Check Session Cookie]
AJSCheck --> AJSVerify[Verify Session JWT]
AJSVerify --> AJSLoad[Load User from D1<br/>via Drizzle Adapter]
AJSLoad --> AJSCheck2{User Exists?}
AJSCheck2 -->|No| AJSOAuth[Redirect to GitHub OAuth]
AJSCheck2 -->|Yes| AJSReturn[Return User Session]
AJSOAuth --> AJSCallback[OAuth Callback]
AJSCallback --> AJSCreate[Create User in D1]
AJSCreate --> AJSReturn
end
subgraph "Mock Auth Flow"
MOCK --> MockHeader[Read X-Mock-Auth Header]
MockHeader --> MockParse[Parse JSON:<br/>{owner: 'alice'}]
MockParse --> MockDefault{Header Present?}
MockDefault -->|Yes| MockUser[Use Specified Owner]
MockDefault -->|No| MockAnon[Default: anonymous]
MockUser --> MockReturn[Return Mock Session]
MockAnon --> MockReturn
end
CFReturn --> Done([Authenticated Session])
AJSReturn --> Done
MockReturn --> Done
style CFA fill:#F6821F
style AJS fill:#4A90E2
style MOCK fill:#FFD700
style Done fill:#90E24A