Can I use Cloudflare Workers for "just" the OAuth component of a GitHub Pages app?

I’m working on a web app that allows users to batch archive an organization’s repositories. My grand plan had been to deploy as a single-page-app via GitHub Pages so I wouldn’t need any server infrastructure.

The rub is that users will need to authenticate on GitHub in order to have permission to archive repositories, which means (I think) that I’ll need at least minimal server infrastructure in place to handle OAuth. (Feel free to let me know if I’m totally wrong on this. I’m out at the edge of what I know about several of the technologies I’m using.)

Someone suggested using Cloudflare Workers for this, and it seemed like a really cool idea…except that I’m hopelessly stuck, and I’m not really sure what the fundamental issues are so it’s hard to know what to search for.

Below is a diagram outlining what I’m thinking of:

Cloudflare idea v2

The basic idea is that:

  • The web app running in the browser sends the login request to the CF Worker
  • The Worker sends the request to the GitHub login API
  • The Worker gets the code when the user logs in
  • The Worker exchanges the code for an access token
  • It then sends the token back to the web app
  • The web app then uses that in its requests to the GitHub API

I’m running into two problems:

  • I can’t seem to get GitHub to recognize the Cloudflare Worker URL as the redirect URL; I always get mismatch URL errors. I’m only running the Worker in dev mode at the moment – will I have to actually deploy it to get GitHub to be happy having a conversation with it?
  • Is it OK to send the access token back to my single page app? Some of what I’ve read online suggests that this is a bad idea for security purposes. If that’s true, will I need to “hold” the token in my KV store and then route all my app traffic through the Worker?

Thanks for any help folks can provide here. I feel like I’ve read 78.2% of the Internet and am no closer to understanding what the architecture should look like than I was when I started.

Many thanks – Nic