The oauth2-proxy suggestion above is probably the easiest path for this. The main thing to watch out with nginx-level oauth is token expiry. If you set short-lived tokens (which you should), you need the proxy layer to handle refresh silently or your friends will keep getting kicked back to the login screen mid-session. If you just need Google or GitHub login for a few people, oauth2-proxy with an email allowlist is way less overhead than running a full identity provider.