Yeah, this is a great idea, just not something I intended to have finished in the near future. I haven't used passport but it seems fairly easy to figure out

@alyx in another project I contribute to we're moving forwards with implementing header auth, so SSO can be done at the reverse proxy level. Do you have any thoughts on this?

the PR is thelounge/thelounge#4447

I think this seems like a pretty reasonable idea actually. Looks like it would save a lot of time on the developer-side of things since Drift wouldn't need to deal with the entire spectacle of integrating SSO and means admins could just play with their HTTPd configs to rig it how they'd like. I'd +1 this idea

As long as the header is configurable, should be all good. A traefik+traefik-forward-auth can talk to any OIDC IdP and provide the username/mail in X-Forwarded-User

Are there any security considerations that need I need to make, or can I assume if a valid header is provided the user is authed/trusted?

When implementing header only authorization, that burden lies on the reverse proxy. Application cannot distinguish it one way or another. You sure need to call that out as something to look out for in the docs.

Ex: Traefik copies the headers from the forwardAuth middleware overwriting anything that might have been present before.

Cloudflare guarantees that the Cf-Connecting-User is set for all requests proxied behind zero trust and to be non overridable.