Introducing the Gateway Authorization Proxy: Simplifying Identity-Based Access Control

Cloudflare has introduced the Gateway Authorization Proxy, a new feature that addresses the limitations of traditional proxy endpoint systems. By combining browser-native proxy capabilities with Cloudflare's global network, the Gateway Authorization Proxy enables granular policy enforcement and user verification on any device that can reach the internet. This solution is particularly useful for companies with unmanaged devices, such as those acquired through mergers and acquisitions, or those operating in highly regulated environments.

Key Technical Details

The Gateway Authorization Proxy uses a Cloudflare Access-style login to verify user identity before enforcing Gateway filtering. This approach moves from a license plate-based system (where IP addresses are used to identify users) to a badge reader system (where each user has their own unique identity). The proxy uses signed JWT cookies to maintain user identity, but when visiting a new domain, the cookie is not present, and the user is redirected to Cloudflare Access for authentication.

Practical Implications for Developers

The Gateway Authorization Proxy offers several benefits, including:

• True identity integration: Logs related to proxy endpoints now show exactly which user is accessing which site.
• Multiple identity providers: Large companies or those undergoing M&A can choose which identity providers to show users.
• Simplified billing: Each user occupies a "seat" exactly like they do with the Cloudflare One Client, with no complicated new metrics to track.

Technical Hurdles Overcome

To make this possible, Cloudflare had to overcome the technical hurdle of associating a user's identity with every request, without a device client. The solution involves using signed JWT cookies to maintain user identity and redirecting users to Cloudflare Access for authentication when visiting a new domain.