Is it secure to handle the OAuth 2 Authorization callback from a CDN?

Question

This question is in the context of the OAuth 2.0 Authorization Framework.

Consider a web application that is backed by a first-party API but relies on a third-party authorization server for SSO.

Say the index page for the application is hosted on some CDN like Amazon CloudFront. The page invokes JavaScript that checks to see if there is an authorization code in the query string.

If there is no authorization code in the query sting, the page invokes JavaScript that redirects the user to the third-party login page. After the user logs in and authorizes the app, the third-party server redirects the user back to the same index page hosted on the CDN with the authorization code in the query string.

If there is an authorization code on the query string, the page invokes JavaScript that makes a request to the first-party API that includes the authorization code.

The first-party API tries to get an access token from the third-party authorization server with the given authorization code and the predefined client secret. If successful, it then tries to get the user resource on the third-party resource server. Then it responds to the request from the index page on the CDN with a session cookie for that user.

Now, in my experience, the redirect URI has been a resource on the first-party API, which redirects the user again, back to the index page on the CDN. But for this question, the first-party API wants the index page to pass it the authorization code through AJAX.

Is this a secure workflow? If not, how is it a result of using a CDN resource for the redirect URI?

Answer 1

First - as you wrote the third-party authorization server requires client secret known only to The first-party API - so only your back-end can actually exchange authorization code for access token - nothing wrong here.

Second - you should be using HTTPS for your redirection endpoint so make sure your CDN support it. Otherwise somebody can eavesdrop the exchange, submit the access code first and take-over user session.

Third - make sure You are using OpenID Connect provider or something similar if you want SSO. Plain OAuth is not designed for authentication (OAuth Authorization vs Authentication)

Last - unrelated to OAuth - you have to asses how putting you index page on CDN affect your application security. It probably improve your DOS protection but introduces element outside your direct control.