Cloudflare + Okta support (and related solutions)

photonclock

I managed to get Okta authentication working via Cloudflare to protect my SecSpy domain/login via internet. Pretty nifty.

However...this breaks the iOS SecSpy app. I knew that going in. Not an issue at the moment, because I have the Tailscale entry point as well.

Chatting with the AI about "How could SecSpy support Okta?", I got this info:

Option 1: The "Gold Standard" Fix (OIDC Support)

The Ask: "Please add support for OIDC (OpenID Connect) or OAuth2 authentication flows using ASWebAuthenticationSession on iOS."

How it works:

1. Instead of typing a username/password into the app, the app detects the Cloudflare/Okta redirect.
2. The app opens a secure system browser window (this is an iOS component called ASWebAuthenticationSession).
3. 
   
4. You see the actual Okta login page inside that window, do your FaceID/Push, and get authorized.
5. The browser window closes and hands a Session Token (Cookie) back to the Security Spy app.
6. The app attaches that token to every subsequent video request.

Note: This is how apps like Slack, Zoom, and Google Drive handle SSO.

Option 2: The "Easier" Fix (Service Tokens)

The Ask: "Please allow users to define Custom HTTP Headers in the server connection settings."

How it works:

1. In Cloudflare, you generate a Service Token (a specialized username/password designed for bots, not humans).
2. 
   
3. This token consists of two long strings: CF-Access-Client-Id and CF-Access-Client-Secret.
4. If the Security Spy app had a field to "Add Custom Headers," you would paste these two strings there.
5. Cloudflare sees these headers and says, "Oh, this is an authorized app," and bypasses the Okta login screen entirely.

The Solution You Can Use TODAY (The "Warp" Bypass)

Since you can't force Ben Software to rewrite their app this weekend (😅 Note: I never suggested to the AI that I wanted Ben to re-write Security Spy this weekend), you can actually solve this right now using the tool you already have: Cloudflare WARP.

You mentioned earlier you looked at WARP (Option 2) but skipped it. This is the use case for it.

The Logic: Instead of making the App authenticate to Okta, you make your Phone authenticate to Okta (via VPN), and then the App gets a free ride.

1. Install the "Cloudflare One" App (WARP) on your iOS device.
2. Log in to the App: Go to Settings > Account > Login with Cloudflare Zero Trust.
   • Enter your team domain.
   • It will ask you to authenticate via Okta (using your FaceID rule).
3. The Result: Your phone is now "inside" your secure network.
4. The Bypass:
   • In your Cloudflare Dashboard (Zero Trust), create a Bypass Policy for your Security Spy application.
   • Action: Bypass.
   • Include: "WARP" (or "Gateway").
   • Translation: "If the user is already logged into the WARP VPN on their phone, don't ask them to log in again at the website."

Outcome:

• Web Browser: Still protected by Okta.
• Security Spy App: Works instantly because the WARP client on your phone is handling the "Identity" proof in the background. You get the security of Okta without the app needing to support it.

I inquired with the AI further about OIDC cost/complexity. Response:

------------

Financial Cost: Zero. OpenID Connect (OIDC) is an open standard. There are no licensing fees to Apple, Okta, or any governing body to implement it.

Development Cost (Time & Labor): Moderate to High. For a single developer or small team (like Ben Software), the "cost" is entirely about time and complexity.

Here is why they haven't done it yet:

1. The "Engine Swap" Problem: Right now, the Security Spy app likely uses HTTP Basic Auth. This is simple: every time it asks for a video frame, it sends username:password in the header. OIDC is a State Machine. The app has to:
   • Detect a login is needed.
   • Pause the video request.
   • Open a browser window.
   • Wait for a callback code.
   • Exchange that code for a "Token."
   • Store that token securely in the iOS Keychain.
   • Attach that token to every future request.
   • The Hard Part: Monitor when that token expires (usually every hour) and silently use a "Refresh Token" to get a new one without nagging the user.
2. That requires rewriting the entire networking layer of the app. It’s not just adding a feature; it’s changing the plumbing.
3. The "Niche" Factor: Most Security Spy users are home users doing simple port forwarding or using Ben's built-in DDNS service. Users like you—putting a commercial-grade Zero Trust Identity Provider (Okta + Cloudflare) in front of a Mac Mini CCTV system—are the top 1% of the 1%.

If he adds the ability for you to manually paste a static API Token (like the Cloudflare Service Token mentioned earlier) into the app settings, that is probably a 1-hour job for him. Full OIDC support is a probably a major refactor. The "Custom Header" request is much more likely to get a "Yes."

@Ben What do you think? 😁

Ben

While I appreciate what you are trying to achieve here, which is greater security, I think this is beyond the reasonable scope of our app. What you are suggesting would require significant development effort, and would be used by barely any users, since the current methods of remote access already work well and involve far less complexity:

1. Port forwarding (the default solution). This allows for an efficient direct connection, does not rely on intermediaries of any kind, and is normally a one-click setup in SecuritySpy. The downside is that your SecuritySpy sever is available to the public Internet, however if you use a strong password, this is a genuinely tiny risk. SecuritySpy has built-in hacking resistance (e.g. automatically banning clients after a few failed login attempts).
2. For any user who wants an extra layer of security, or for whom port forwarding isn't an option (e.g. cell/satellite connections), a virtual network solution like Tailscale or ZeroTier is ideal, and easy to set up. Only approved members of the virtual network can even attempt connections to SecuritySpy, ruling out hacking attempts. The downside is potential efficiency loss because some connections have to be routed through a relay, and also the reliance on a third party (though Tailscale/ZeroTier are both established and reliable systems).

photonclock

I hear ya.

I do think the "custom header" idea is a pretty good one though and maybe not that complicated to implement?

I'll keep working on wearing you down Ben! 😅

In all seriousness, yes, I'm pushing for enterprise quality security solutions, because the fact of the matter is, Security Spy is great software. It's very mature at this point, and with the powerful and inexpensive hardware available these days, Security Spy is (in my humble opinion) on the edge of being a legit Enterprise-class solution for security cameras. And while I realize many of your users are probably not hip to all this stuff and wouldn't use the features, I also know that I also started out as that type of Security Spy user at one point...but now, in part thanks to you and all the fancy features you've previously implemented (the Event Stream is what got me started and led me down this road) – I've evolved. And my security requirements are higher. And I don't want to outgrow Security Spy. I want to use it forever.

So...keep all that in mind, and throw my ideas on the pile please. 😁