Node-red-contrib-google-smarthome + cloudflare access

Hi all,

These last few days I have been breaking my head (not sure if this is a valid English expression) trying to secure access to my google smarthome server using Cloudflare Access.

My use case:

  • Raspbery pi 1B running Node-Red Docker image
  • External Access to Rpi through a Cloudflare Tunnel (docker image) running 2 services, https://xxx.example.com for Node-Red (port 1880) and https://yyy.example.com for Google Smarthome (port 3001)
  • Node-Red sits behind Cloudflare Access limited to 2 email addresses + One-Time Pin. This works without issues
  • I tried putting Google Smarthome behind Cloudflare Access using Service Auth. I created a Cloudflare client ID and client Secret and entered these as client ID and Client Secret in both Google Actions and the management node. Unfortunately this doesn't work. reqbin.com responds "Cannot process your request". Using https://yyy.example.com/check or Google Home to link my account, I immediately receive a forbidden access message from Cloudflare.
  • modifying Cloudflare access rules to accept email + One-time pin (after having deleted the Service Auth rule), works (after login) for https://yyy.example.com/check (all tests pass). With Google Home account linking I can reach the Google Smarthome login screen, but actual login fails with message "could not reach [test] myproject. Please try again."

Looking for some guidance from anyone who has successfully installed node-red-contrib-google-smarthome using a tunnel and behind cloudflare access (which security protocol did you implement, perhaps blocking all access but bypassing google IPs) or can confirm that I'm overcomplicating things and Google Smarthome login is secure enough.

Thanks.

Michielo

One additional fact, if I disable Cloudflare Access rules on https://yyy.example.com, Google Home account linking does work, so the problem is definitely related to how Cloudflare Access protects my Google Smarthome server and Google not passing on the Client ID and Client Secret in a way that Cloudflare Access accepts it.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.