Ability to add custom headers for Cloudflare Zero Trust

[eamontaf]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

This request is similar to issue 1026. We are interested in being able to generate certificates on clients through a Cloudflare Zero Trust tunnel. According to the cloudflare documentation here, we would need to be able to set the 'cf-access-token' header with a value that is generated with the cloudflared command line utility. This would allow us to perform authentication and authorization prior to reaching our stepca instance.

Why is this needed?

Such a tunnel increases the security of our deployment by providing an additional layer of authentication and authorization. If there were a chance to pass user data into step, it would also potentially provide the ability to template certificates to prevent users from inadvertently or maliciously issuing a certificate with incorrect parameters such an common name or email address.

We are currently building a CA that will issue certificates to Yubikey holders and are using a webhook to map Yubikey serial numbers to users. This could remove the need for the webhook if we could verify that a user had permissions to access the CA via cloudflare rather than needed to provide access over VPN or a physical connection to our network. It also may reduce the administrative burden of maintaining the webhook and the user-to-Yubikey mappings.