We use PAM for user authentication, which is the software stack on Linux typically used for authenticating system users. (We previously used LDAP but it was a nightmare.) If you would like to integrate our authentication sytsem into your app, you have three options.
PAM
If your app supports PAM, set the service to sssd and then you should be good to go.
OAuth
You can use our Forgejo instance as an OAuth provider.
Proxy Authentication
You can also make nginx perform authentication. It's important that you run your app on a Unix socket with 660 permissions instead of a TCP socket since otherwise people could directly connect to the TCP socket to bypass authentication. You can obtain the authenticated username from the Remote-User header.
Add these lines to your nginx config:
proxy_set_header Remote-User $remote_user;
auth_pam "your app name";
auth_pam_service_name "sssd";