You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Update linked-apps.mdx
Switch Access self hosted OAuth to use the UI and not the API
* add API instructions to tab
* update Selectors table
---------
Co-authored-by: Ranbel Sun <[email protected]>
Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/ai-controls/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
14
14
@@ -36,7 +36,7 @@ accTitle: Link MCP servers and self-hosted applications in Access
36
36
idp[Identity provider] <--> SaaS
37
37
```
38
38
39
-
This guide covers how to use the Cloudflare API to link a self-hosted application to a remote MCP server. The core of this feature is the `linked_app_token` rule type, which allows an Access policy on one application to accept OAuth access tokens generated for another.
39
+
This guide covers how to use the Cloudflare API to link a self-hosted application to a remote MCP server. The core of this feature is the Linked App Token rule type, which allows an Access policy on one application to accept OAuth access tokens generated for another.
40
40
41
41
## Prerequisites
42
42
@@ -46,25 +46,42 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
46
46
47
47
The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
48
48
49
-
## 2. Get the SaaS application ID
49
+
## 2. Create an Access policy with a Linked App Token
| Service Auth | Include | Linked App Token |`mcp-server-cf-access`|
62
+
63
+
:::note
64
+
The Linked App Token selector only works with the [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) action, similar to service token rules.
65
+
:::
66
+
67
+
</TabItem>
68
+
<TabItemlabel="API">
69
+
70
+
1. Get the `id` of the MCP server SaaS application:
1. Create the following Access policy, replacing the `app_uid` value with the `id` of your SaaS application:
74
+
```json title="Response"
75
+
{
76
+
"id": "3537a672-e4d8-4d89-aab9-26cb622918a1",
77
+
"uid": "3537a672-e4d8-4d89-aab9-26cb622918a1",
78
+
"type": "saas",
79
+
"name": "mcp-server-cf-access",
80
+
...
81
+
}
82
+
```
83
+
84
+
2. Create the following Access policy, replacing the `app_uid` value with the `id` of your SaaS application:
68
85
69
86
<APIRequest
70
87
path="/accounts/{account_id}/access/policies"
@@ -82,11 +99,11 @@ Get the `id` of the MCP server SaaS application:
82
99
}}
83
100
/>
84
101
85
-
:::note
86
-
The `linked_app_token` rule type only works with [`non_identity` decisions](/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules.
87
-
:::
102
+
:::note
103
+
The `linked_app_token` rule type only works with [`non_identity` decisions](/cloudflare-one/access-controls/policies/#service-auth), similar to service token rules.
104
+
:::
88
105
89
-
2. Copy the Access policy `id` returned in the response:
106
+
3. Copy the Access policy `id` returned in the response:
90
107
91
108
```json title="Response" {5}
92
109
{
@@ -106,30 +123,16 @@ Get the `id` of the MCP server SaaS application:
106
123
}
107
124
```
108
125
109
-
This policy will allow requests if they present a valid OAuth access token that was issued for the specified SaaS application.
110
-
111
-
## 4. Update the self-hosted application
112
-
113
-
You can add the `linked_app_token` policy to any `self_hosted` application in your Zero Trust account. Other app types (such as `saas`) are [not currently supported](#known-limitations).
126
+
</TabItem>
127
+
</Tabs>
114
128
115
-
1. Get your existing self-hosted application configuration:
This policy will allow requests if they present a valid OAuth access token that was issued for the specified SaaS application.
121
130
122
-
2. Add the Access policy to the self-hosted application. To avoid overwriting your existing configuration, the `PUT` request body should contain all fields returned by the previous `GET` request.
You can add the Linked App Token policy to any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in your Zero Trust account. Other app types (such as [SaaS applications](/cloudflare-one/access-controls/applications/http-apps/saas-apps/)) are [not currently supported](#known-limitations).
131
134
132
-
## 5. Configure the MCP server
135
+
## 4. Configure the MCP server
133
136
134
137
With the policy in place, every API request to the self-hosted application must now include a valid `access_token` from Cloudflare Access. You will need to configure the MCP server to forward the `access_token` in an HTTP request header:
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/access-controls/policies/index.mdx
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -143,10 +143,11 @@ Non-identity attributes are polled continuously, meaning they are-evaluated with
143
143
| IP ranges |`192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ |
144
144
| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ |
145
145
| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ |
146
-
| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ |
147
-
| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ |
148
-
| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | ❌ |
149
-
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. | ✅ | ✅ | ❌ |
146
+
| Common Name | The request will need to present a valid certificate with an expected common name. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ |
147
+
| Valid Certificate | The request will need to present any valid client certificate. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ |
148
+
| Service Token | The request will need to present the correct service token headers configured for the specific application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ |
149
+
| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/access-controls/service-credentials/service-tokens/) created for this account. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ |
150
+
| Linked App Token | Checks for a valid [OAuth access token](/cloudflare-one/access-controls/ai-controls/linked-apps/) issued to a specific Access for SaaS application. Requires the [Service Auth](#service-auth) action. | ✅ | ✅ | ❌ |
150
151
| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ |
151
152
| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ |
152
153
| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅ | ❌ | ✅ |
0 commit comments