Skip to content

AccessIdentityProvider

Source: src/Cloudflare/Access/IdentityProvider.ts

A Cloudflare Zero Trust Access identity provider — the login method (one-time PIN, generic OIDC/SAML, or a named provider like GitHub, Google, Okta, or Azure AD) users authenticate with before Access policies evaluate.

The type is immutable (config shapes are disjoint per type — changing it replaces the IdP); name, config, and SCIM settings converge in place. Cloudflare masks secret config fields (clientSecret, API tokens) on read, so those fields diff against your previously declared props instead of observed cloud state.

Creating an Identity Provider

Section titled “Creating an Identity Provider”

One-time PIN (no external dependencies)

const otp = yield* Cloudflare.AccessIdentityProvider("Pin", {
  type: "onetimepin",
  config: {},
});

Generic OIDC provider

const oidc = yield* Cloudflare.AccessIdentityProvider("Sso", {
  type: "oidc",
  config: {
    clientId: "my-client-id",
    clientSecret: "my-client-secret",
    authUrl: "https://idp.example.com/authorize",
    tokenUrl: "https://idp.example.com/token",
    certsUrl: "https://idp.example.com/keys",
    scopes: ["openid", "email", "profile"],
  },
});

Restricting an Application to an IdP

Section titled “Restricting an Application to an IdP”
yield* Cloudflare.AccessApplication("Admin", {
  domain: "admin.example.com",
  allowedIdps: [oidc.identityProviderId],
});