Netlify cms giving 404 error once role based redirects are added to netlify _redirects file

The application I am working on is authenticating with a third part saml identity provider. I then followed the netlify docs and added the jwt secret to Access control > Visitor access > Password / JWT secret . Then also following the docs I set up the following redirect rules to block access to anything on the site for unauthorized users.
/* 200! Role=user
/* /.netlify/functions/login 401!

This works fine and it blocks access for any unauthenticated/unauthorized users and redirects them to the netlify function which is set up to authenticate with the idp.

The problem is that any access to the cms route now fails with a 404 error. In the network logs I can see that a network call to /cms-admin/ succeeds and then right after that there is a call to /netlify-identity.js which fails with 404 and everything after that fails with 404 as well.

image

I am using github backend and github authentication for the cms config. This all worked and works fine if i remove the role based redirects. Since the cms will be using github authentication anyway I don’t exactly need the cms-admin route to be guarded by the role based redirect so I tried to overrule the role based access by adding a rule above the others like so but it still gives the same 404 errors (this may be wrong, apologize if so):

/netlify-identity.js /netlify-identity.js 200!
/react.production.min.js /react.production.min.js 200!
/react-dom.production.min.js /react-dom.production.min.js 200!
/netlify-cms-app.js /netlify-cms-app.js 200!
/cms.js /cms.js 200!
/cms-admin/* /cms-admin/:splat 200!

I am new to netlify and the ecosystem so I may be doing something wrong in the redirects or somewhere else. Does anyone have any ideas why this is not working and how to get it to work? If possible how to add an exclusion to the redirect so the role base access won’t be triggered for the /cms-admin route as that would probably be the easiest route. And if not how to solve this issue otherwise?

Any help is greatly appreciated, thank you.

hiya @trdev could you confirm what site you’re working on, so we can take a look at your redirects in place? If you don’t want to share the hostname, you can safely share the API ID from the site overview page publicly.