Thanks, this was useful. A couple of problems I hit and my solutions, which might help other readers:

- the Google Cloud Cident ID for Web application needs the following authorized redirect URI:

https://<your domain>/oauth2/callback

- if you have a typo in your oauth2-proxy/static-file-server.conf, after correcting it you will need to restart supervisor with sudo service supervisor restart

- that #/ on the end of upsteams = in the oauth2-proxy config file is really important. From the docs:

"Static file paths are configured as a file:// URL. file:///var/www/static/ will serve the files from that directory at http://[oauth2-proxy url]/var/www/static/, which may not be what you want. You can provide the path to where the files should be available by adding a fragment to the configured URL. The value of the fragment will then be used to specify which path the files are available at, e.g. file:///var/www/static/#/static/ will make /var/www/static/ available at http://[oauth2-proxy url]/static/."

- I had an errant supervisor config file hanging around in /etc/supervisor/conf.d/ which was trying to start a process for which the executable was no longer available, resulting in the error "supervisor error: <class 'FileNotFoundError'>, [Errno 2] No such file " - supervisor's error reporting is not informative. Took me ages to pluck up the courage to move it to /tmp, after which everything worked.