Moving from license plates to badges: the Gateway Authorization Proxy

Cloudflare has introduced the Gateway Authorization Proxy and Proxy Auto-Configuration (PAC) File Hosting to enhance security and simplify management for unmanaged devices connecting to the internet, addressing challenges when devices cannot have software installed, such as during company acquisitions or in regulated environments. This new system shifts the identity verification from device-based to network-based, using browser proxy capabilities and Cloudflare's global network to enforce policies. Unlike previous methods relying on static IPs, the Authorization Proxy identifies users through a Cloudflare Access-style login, allowing for precise user-based access and policy enforcement, even supporting multiple identity providers like Okta and Azure AD. This setup removes the need for manual PAC file hosting and reduces maintenance, offering users a seamless experience without noticeable delays, as authentication through signed JWT cookies occurs rapidly. The service is now in open beta, aiming to offer flexible authentication methods and broaden clientless security options, making it ideal for scenarios like virtual desktops, mergers and acquisitions, and compliance-restricted environments.