OAuth Implementation Guide

rforssen.net – *Practical guide on how to implement authentication correctly*

This document explains how to actually build applications using the two authentication strategies defined in the OAuth Architecture document:

1️⃣ In-App Authentication
2️⃣ Edge Authentication

🟦 A. In-App Authentication

Mixed public content + authenticated personalization

This is used when an application should load normally for anyone, but behave differently based on login state and role.

Examples:

Media platform
Genealogy
Future landing page with personalized visibility

1️⃣ Backend Requirements

You already have the correct backend foundation:

Endpoint	Description
/auth/login/google	Start login
/auth/login/google/callback	Finish login
/auth/me	Check login + get user info
/auth/logout	End session

/auth/me Contract

If NOT authenticated:

{
  "authenticated": false
}

If authenticated:

{
  "authenticated": true,
  "user": {
    "email": "...",
    "name": "...",
    "sub": "google-id"
  },
  "role": "me | family | public"
}

2️⃣ Frontend Implementation Pattern

Every page using in-app authentication follows this pattern:

On page load:
1️⃣ fetchAuth() → calls /auth/me
2️⃣ Store auth state
3️⃣ renderAuthBadge() updates UI
4️⃣ Role determines what content is visible
5️⃣ Backend still protects restricted operations

Your media app already implements this extremely well (using fetchAuth(), initAuth(), BroadcastChannel, popup login, etc.). This is your platform standard.

3️⃣ Personalizing / Filtering Content

A mixed page normally behaves like this:

Guests can see public elements
Family sees extra things
Roland sees everything

Filtering works with classes and logic like:

// If not logged in
hideElementsWithClass("onlyMe");
hideElementsWithClass("familyOnly");

// If Roland
show everything
setRole("me");

// If Family
show public + family

Frontend filtering = UX convenience.
Backend authorization = real security.

4️⃣ Backend Security Enforcement

Even if UI hides features, the backend always decides access.

Operation	Auth Requirement
Delete video	me only
Trigger FFmpeg job	me only
View private family media	me + family
View public content	anyone

5️⃣ Cookie Security

Ensure Flask session configuration:

SESSION_COOKIE_SECURE = True
SESSION_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = "Lax"

6️⃣ Redirect Safety

Do NOT allow arbitrary redirect destinations.

Only approve whitelisted domains when handling: ?redirect=

7️⃣ Implementation Checklist

Page loads for everyone
/auth/me called on load
Login badge shows correctly
Features filtered by role
Backend enforces authorization
Cookies secure

If all above are true → In-App Auth is correctly implemented.

🟥 B. Edge Authentication

Hard gate – block all access unless authenticated

Use this when nothing should be visible unless the user is authenticated. Not even the UI. No partial access. No leaks.

Perfect for:

phpMyAdmin
Admin dashboards
Cluster management tools
Dangerous development utilities
Sensitive internal pages

Conceptual Flow

User Request → Traefik Ingress → oauth2-proxy → Application

If authenticated → forward
If not → block

Who Handles Authentication?

NOT the frontend
NOT Flask
Traefik + oauth2-proxy do it

This means the protected application never sees anonymous traffic.

Edge Authentication Guarantees

App does not render unless authenticated
No HTML exposure
No debugging info for strangers
No “view source” guessing
No discovery of internal tools

Implementation Requirements

Ingress routes traffic to oauth2-proxy
oauth2-proxy handles Google login
Authorized users proceed
Unauthorized users denied

Optional Identity Headers

If app wants to know who logged in:

X-Auth-User
X-Auth-Email
X-Auth-Verified

App may:

Use these
Ignore them

Behavior Rules

No “guest mode”
No partial rendering
No public visibility
Always fail safe

When NOT to Use Edge Auth

If public should see the page
If family needs normal UX
If different role experiences exist
If app benefits from personalization

Edge Auth is for:
Infrastructure. Admin. Power Tools. Critical Systems.

Strategy Summary

Need	Use
Public + private experience	In-App Auth
Roles + personalization	In-App Auth
Family or guest usability	In-App Auth
Admin tools	Edge Auth
phpMyAdmin	Edge Auth
Cluster dashboards	Edge Auth
Any “dangerous” system	Edge Auth

Platform Philosophy

Platform / Admin / Infrastructure
➡ Edge Authentication

Family & User Applications
➡ In-App Authentication