Support Cloudflare Argo tunnel JWT's for authentication

[caesay]

Is your feature request related to a problem? Please describe.

A free Cloudflare Argo (Zero Trust) Tunnel can be configured to tunnel traffic into your network. The benefit of this approach is that the authentication & traffic filtering happens on Cloudflare's edge, instead of in your own secure network. Only authenticated traffic will pass through into your infrastructure.

However, Cloudflare Zero Trust is not an ideal solution for managing access policies to a variety of distinct applications - therefore it would make sense for Cloudflare to authenticate the user, and forward all traffic to Pomerium to determine which application to route to and if the user has access. In this setup, it will require the users to login to IdP twice. Once at Cloudflare's edge to get into internal infrastructure, and then again at Pomerium to access various applications.

Describe the solution you'd like
If the Cloudflare tunnel terminates at a Pomerium server, it will pass the Cf-Access-Jwt-Assertion which is a JWT containing the email of the authenticated user.

It would be ideal if Pomerium could handle this header, validate the JWT is authentic, and consider that the user has already authenticated with the IdP, rather than requiring the user to log-in to the IdP twice. If the header is not present, then the traffic is likely local (not through the cf tunnel) and Pomerium should still force users to log-in to the IdP.