Skip to main content

Configure ZITADEL as an OIDC Identity Provider on Cloudflare Zero Trust

This guide shows how to configure ZITADEL as OpenID Connect identity provider for Cloudflare Zero Trust.


  • Existing ZITADEL instance, organization, and project. Follow our get started guide to get started. If not present follow this guide
  • Existing Cloudflare account and team domain

Create the client in ZITADEL

Create the Cloudflare app

Go to the detail page of your project and click the "+"-button in the application-section. This will lead you to the the creation wizard.

Add application

Create the app by setting a name and select the application type "Web"

create web preview

Select the authentication method

The authentication method defines the communication flow during a login

code preview


Use if your application needs client id and client secret

Redirect URIs

During the login flow the application defines where a user is redirected to after login or logout.
ZITADEL verifies if the URL the user gets redirected to is valid by checking if one of the redirect URIs match.

  • Redirect URIs are verified during the login process.
    • The default redirect uri of your app is https://<your-team-name>
  • Post Logout URIs are verified during the logout process.

The default redirect uri of your app is https://<your-team-name>

Redirect URIs configuration

Review your configuration

The last page of the stepper shows a summary of what will be created. After you have reviewed the configuration you can create the application.

Client information

Please make sure to safe the client id and secret for later use in the application.

client infos

Send user info in tokens

Make sure to enable "User Info inside ID Token" on your application settings.

user info inside id token


Cloudflare will return an error "User email was not returned. API permissions are likely incorrect". Enable to send the user information inside the token on your client settings.

Configure Cloudflare Zero Trust Authentication

  1. On the Cloudflare dashboard go to Zero Trust, click settings, and then select "Authentication"
  2. Add a new login method with the type "OpenID Connect"
  3. Fill in the required information. Check the discovery endpoint of your instance https://{your_domain}/.well-known/openid-configuration for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
  4. Disable PKCE (Cloudflare requires a client secret for PKCE, which is currently not supported)
  5. Add the following claims: "openid", "profile", "email"
  6. Test the connection

Example configuration

"config": {
"client_id": "<your client id>",
"client_secret": "<your client secret>",
"auth_url": "https://{your_domain}",
"token_url": "https://{your_domain}",
"certs_url": "https://{your_domain}",
"scopes": ["openid", "email", "profile"],
"pkce_enabled": false,
"type": "oidc",
"name": "Generic Google"