Would a reverse-proxy authentication server be a secure setup?
Reverse Proxies are pretty common for what you are asking. Quite a few companies make servers designed for what your asking so you could use that as a reference.
For instance, I've used WebSeal (IBM ISAM) quite a bit at company's (seems popular for some reason around me). They have modules already build for OAuth, and most other type of authentication.
You can use these servers to:
- provide a single "Identity" across multiple systems with difference User stores.
- Provide a more secure method of Authentication for users, on legacy systems which may lack the features you want (e.g Provide OAuth authorizations for users, while the proxy uses Basic Auth for a back-end call.)
- Isolate systems by forcing connections through a single point
- Combinations for all of these.
Design notes:
- OAuth is an AUTHORIZATION protocol NOT an AUTHENTICATION protocol.
- When you are trying to establish identity, look to OpenID or JWT or SAML or run as your owned Identity Provider.
When you are trying to authorize a request look at OAuth 2.0 or JWT.
Use an ID Token for Identity (e.g OpenID spec, or if rolling your own look at JWT's)
Have Web Applications use an authorization token to get a access token.
Use access tokens to provide protected resources.