OIDC Claims Now Available Across All Gateway Policy Types

Cloudflare Gateway has expanded its identity-based policy capabilities by adding support for OIDC Claims as a selector in Firewall, Resolver, and Egress policies. This enhancement allows administrators to create more granular access controls by leveraging custom claims from their OpenID Connect identity provider.

What You Can Do Now

The new OIDC Claims selector enables three key use cases:

• Firewall Policies: Filter DNS, HTTP, and Network traffic based on OIDC claim values, allowing different policy rules for different user groups
• Resolver Policies: Route DNS queries to specific resolvers based on a user's OIDC claims, enabling departmental or role-based DNS routing
• Egress Policies: Assign dedicated egress IPs based on OIDC claim attributes, providing identity-aware network egress controls

Practical Examples

You can now create policies such as:

• Route traffic differently for users with department=engineering in their claims
• Restrict access to sensitive destinations based on a user's role claim
• Assign specific egress IPs to different departments or security groups

Getting Started

To use this feature, configure custom OIDC claims on your identity provider, then select the OIDC Claims selector in the Gateway policy builder. For detailed guidance, refer to Cloudflare's documentation on identity-based policies.