diff --git a/config/config.go b/config/config.go
index 04d161f..814fb74 100755
--- a/config/config.go
+++ b/config/config.go
@@ -14,6 +14,7 @@ var (
 	StoreUser string
 	StorePass string
 	Root      string
+	OAuth     string
 )
 
 func init() {
@@ -31,6 +32,7 @@ func Refresh() {
 	as.Append(args.STRING, "storeaddr", "addr of store", "")
 	as.Append(args.STRING, "storeuser", "user of store", "")
 	as.Append(args.STRING, "storepass", "pass of store", "")
+	as.Append(args.STRING, "oauth", "url for boauthz", "")
 	as.Append(args.STRING, "root", "root of static files", "./public")
 	if err := as.Parse(); err != nil {
 		panic(err)
@@ -42,4 +44,5 @@ func Refresh() {
 	StoreUser = as.Get("storeuser").GetString()
 	StorePass = as.Get("storepass").GetString()
 	Root = as.Get("root").GetString()
+	OAuth = as.Get("oauth").GetString()
 }
diff --git a/server/routes.go b/server/routes.go
index 0887a20..d150514 100755
--- a/server/routes.go
+++ b/server/routes.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"local/gziphttp"
+	"local/oauth2/oauth2client"
 	"local/router"
 	"local/todo-server/config"
 	"log"
@@ -22,32 +23,34 @@ func (s *Server) Routes() error {
 	}{
 		{
 			path:    "/",
-			handler: s.gzip(s.index),
+			handler: s.index,
 		},
 		{
 			path:    "/mytinytodo_lang.php",
-			handler: s.gzip(s.lang),
+			handler: s.lang,
 		},
 		{
 			path:    fmt.Sprintf("/themes/%s%s", router.Wildcard, router.Wildcard),
-			handler: s.gzip(s.handleDeviceCSS),
+			handler: s.handleDeviceCSS,
 		},
 		{
 			path:    fmt.Sprintf("%s%s", router.Wildcard, router.Wildcard),
-			handler: s.gzip(s.phpProxy),
+			handler: s.phpProxy,
 		},
 		{
 			path:    "/ajax.php",
-			handler: s.gzip(s.HandleAjax),
+			handler: s.HandleAjax,
 		},
 	}
 
 	for _, route := range routes {
+		handler := route.handler
+		handler = s.gzip(handler)
+		handler = s.oauth(handler)
 		if err := s.Add(route.path, route.handler); err != nil {
 			return err
 		}
 	}
-	s.NotFound = s.gzip(s.index)
 	return nil
 }
 
@@ -143,6 +146,19 @@ func (s *Server) _static(w http.ResponseWriter, r *http.Request) error {
 	return err
 }
 
+func (s *Server) oauth(h http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if config.OAuth != "" {
+			err := oauth2client.Authenticate(config.OAuth, strings.Split(r.Host, ".")[0], w, r)
+			if err != nil {
+				log.Println("oauth failure", err)
+				return
+			}
+		}
+		h(w, r)
+	}
+}
+
 func (s *Server) gzip(h http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if gziphttp.Can(r) {