I've been happily using oauth2-proxy[1] with nginx as an extra layer of authentication to prevent situations where e.g. home-assistant had an unauthenticated RCE.

It's pretty neat since you can have one oauth instances for all virtual hosts, e.g.:

  server {
      [...]   
     
      location /oauth2/ {
          proxy_pass       http://127.0.0.1:8469;
          proxy_set_header Host                   $host;
          proxy_set_header X-Real-IP              $remote_addr;
          proxy_set_header X-Scheme               $scheme;
          proxy_set_header X-Auth-Request-Redirect $request_uri;
      }
  
      location / {
         auth_request /oauth2/auth;
         error_page 401 = /oauth2/sign_in;
  
         [...]
      }
  }