Is it secure to handle the OAuth 2 Authorization callback from a CDN?

This question is in the context of the OAuth 2.0 Authorization Framework.

Consider a web application that is backed by a first-party API but relies on a third-party authorization server for SSO.

Say the index page for the application is hosted on some CDN like Amazon CloudFront. The page invokes JavaScript that checks to see if there is an authorization code in the query string.

If there is no authorization code in the query sting, the page invokes JavaScript that redirects the user to the third-party login page. After the user logs in and authorizes the app, the third-party server redirects the user back to the same index page hosted on the CDN with the authorization code in the query string.

If there is an authorization code on the query string, the page invokes JavaScript that makes a request to the first-party API that includes the authorization code.

The first-party API tries to get an access token from the third-party authorization server with the given authorization code and the predefined client secret. If successful, it then tries to get the user resource on the third-party resource server. Then it responds to the request from the index page on the CDN with a session cookie for that user.

Now, in my experience, the redirect URI has been a resource on the first-party API, which redirects the user again, back to the index page on the CDN. But for this question, the first-party API wants the index page to pass it the authorization code through AJAX.

Is this a secure workflow? If not, how is it a result of using a CDN resource for the redirect URI?