I've been happily using oauth2-proxy[1] with nginx as an extra layer of authentication to prevent situations where e.g. home-assistant had an unauthenticated RCE.

It's pretty neat since you can have one oauth instances for all virtual hosts, e.g.:

  server {
      [...]   
     
      location /oauth2/ {
          proxy_pass       http://127.0.0.1:8469;
          proxy_set_header Host                   $host;
          proxy_set_header X-Real-IP              $remote_addr;
          proxy_set_header X-Scheme               $scheme;
          proxy_set_header X-Auth-Request-Redirect $request_uri;
      }
  
      location / {
         auth_request /oauth2/auth;
         error_page 401 = /oauth2/sign_in;
  
         [...]
      }
  }

I don’t know whether the free version of Nginx has a Relying Party Implementation, but I have used this plugin for Apache2 and OIDC in the past: https://github.com/OpenIDC/mod_auth_openidc

This page might have something, but I can’t read it myself on mobile cause it shows up broken: https://openid.net/certification/certified-openid-relying-pa...

I know it’s not just OAuth but OIDC had a pretty decent provider support and I could even self-host a Keycloak instance - it was annoying to setup but worked okay in practice, could define my own users and then just get a decent login page when needed and otherwise just got into the sites I wanted.

Personally though, it felt a bit overkill when compared to basicauth for anything not run in public or for a lot of users.