Cloudflare worker implementation for an oauth2 proxy

I am looking for an equivalent of GitHub - oauth2-proxy/oauth2-proxy: A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers. which can be deployed as a cloudflare worker. This is required for an SPA which is connecting to multiple APIs deployed as workers on cloudflare.

I have looked into auth0-spa-js, express-openid-connect and other sdk repos but I am unable to find anything which can help me to develop an implementation I am looking for.

There are number of SDKs (e.g. auth0-vue etc) provided for SPAs but all of these implementations seem to be based on the assumption that SPA with interact with auth0 directly but I have rarely seen this scenario in the real world. Most of the time SPAs pull data from backend api and use BFF (backend for frontend) pattern to delegate handling of all oauth2 related stuff to a backend api. However there is hardly any documentation available around this in auth0 docs.

express-openid-connect can be used with nodejs only and so can’t be deployed as cloudflare worker.

What are the options to develop this kind of implementation?

1 Like

@koyadume Did you ever find an answer to this? I am very interested to hear how it turned out.

I agree that documentation on this is sparse. I’ve found Curity’s documentation to be very useful. They have a Cloudflare proxy example implementation here: GitHub - curityio/cloudflare-oauth-proxy-worker: A Cloudflare worker implementation of the OAuth Proxy module from the Token Handler pattern.

@ben.brandt I did deploy oauth2-proxy on a docker host and then exposed it to my application using a cloudflare tunnel. As I was running into CORS issue with this, I created cloudflare pages functions for each of the endpoints (e.g. /auth, /start, /userinfo etc) exposed by oauth2-proxy which resolved CORS issue. I didn’t get time to figure out if CORS issue can be resolved without cloudflare pages functions.

cloudflare worker provided by curity was another option but didn’t look into it due to time constraint and the fact that I have already invested a lot of time to figure out a number of things with oauth2-proxy.