Inspiration

Implementing OAuth across mutliple backend services leads to a lot of code duplication and is cumbersome to build, maintain and scale.

This project implements the Okta OAuth APIs on Fastly's VCL service, that executes code at the edge. This allows any backend origin server to be automatically secured via Okta's Authorization Service and prevents cross site scripting attacks. Maintaining OAuth across entire services is extremely useful and does not need any code change.

What it does

The Fastly VCL takes a Varnish Format and rewrites requests to the Okta server if an access token or cookie does not exist. See this fastly fiddle for the code implementation: https://fiddle.fastlydemo.net/fiddle/ca918f37

Once a user logs in via Okta, the redirect URI hits fastly where the token is checked and sent to an OAuth proxy server for retrieving the access token.

The origin server is set to example.com (this can be multiple services of your site), and an OAuth proxy on Glitch that sends the Basic Auth header to Okta and sends back the token to Fastly. This token is then attached to every subsequent request that is sent to the upstream origin servers. The token also respect's Okta's expiry header.

This allows any backend service to have a one-click Oauth enabled on the service. All you have to do is attach the backend server as an upstream origin on Fastly.

How I built it

I used the following:

  1. Fastly VCL
  2. Okta's Server side OAuth Flow: https://developer.okta.com/authentication-guide/implementing-authentication/auth-code/
  3. Glitch for the OAuth Proxy Nodejs Service: https://glitch.com/~okta-auth-edge

Challenges I ran into

Implementing the OAuth protocol at the edge was very challenging. I had to figure out how to rewrite and transform request headers and backend servers, learn the varnish syntax and implement the Okta api.

The token exchange API takes POST body data, so I could not modify it directly within Fastly VCL, since it does not grant access to POST bodies. I wrote a quick OAuth proxy service in nodejs to write the POST body and authenticate with Okta.

Glitch has a limitation to point custom domain names on it, so the fastly domain tends to 404. However, other services that allow custom domains should work.

Accomplishments that I'm proud of

  1. Running OAuth at the edge!
  2. Implementing the Okta APIs
  3. Integrating Okta into Fastly for a CDN level authorization.

What I learned

  1. OAuth end to end implementation for backend services
  2. Fastly VCL

What's next for oauth-at-the-edge

  1. The capabilities of OAuth at the Edge are exciting. I plan to use Okta's JWT with React and verify the JWT Tokens in Fastly VCL, since these don't need the POST body to be modified.
  2. Implementing other forms of authentication via Okta at the edge. Seemingly every API Okta has to offer can be implemented at edge servers including services like Cloudfare workers and AWS Cloudfront's Lambda"edge

Built With

Share this project:

Updates