OAuth2.0 and "post processing"

[IngwiePhoenix]

Hello there!

I have been trying to implement something rather specific: I want to secure (or rather "protect") some of my services that do not have a login UI by using Discord's Oauth2 so that my friends can access it. However, the catch is that I need to verify if they are in my server (the Discord API calls this a guild). This can be done when requesting the guilds scope initially and then using the returned access token to make a request for it - it does NOT show up in the initial profile, it has to be a second request.

How could I use Hanko to implement this potentially? The flow would be something like this:

• Friend visits a service of mine, like pinchflat.example.com
• The endpoint leads to Oauth2 Proxy, which notices that the user is not signed in.
• A redirect is made to Hanko to trigger the authentification process
• A login page is shown, Discord is the available social login
• Friend uses Discord to authenticate.
• Hanko - or an extension i have to write? - receives the access token
• Hanko makes a request to fetch the guilds to enrich the user profile
  • If the list contains my server, the user is now authorized
  • If not, they are returned to an error page or something
• After being authorized, a redirect is made back to the oauth2-proxy, which now aknowledges the authentification and authorization and lets the user through.

I use k3s with traefik, so oauth2-proxy plus Traefik's forward auth make a solid method to add a login where there normally is none. But it is merely exemplary, perhaps you have a better idea :)

Would that be possible?

Thank you and kind regards,
Ingwie