This is an umbrella issue to track support for external authentication via identity-aware proxies ("header-based auth") such as Google Cloud IAP, Microsoft Entra Application Proxy, and AWS Verified Access.

At a high-level, this includes the following changes:

• Adding support for Coder to read and validate a JWT from a configurable HTTP header
• Authenticating users from configurable claims in the above JWT.
• Associated refactoring, testing, and other cleanup as required.

RFC: https://www.notion.so/coderhq/External-Authentication-via-Identity-Aware-Proxies-a-k-a-header-based-auth-2217b65064b54f06a68258729db5dd76?pvs=4

Must haves:

• Write an RFC for external authentication via identity-aware proxies #11902
• header-based auth: Refactor httpmw.APIKey middleware to expose an interface
• header-based auth: Implement enterprise httpmw.JWTAuth to authenticate users via JWT claims
• header-based auth: Integrate enterprise httpmw.JWTAuth into enterprise/coderd
• header-based auth: Add a /debug endpoint to dump JWT claims
• header-based auth: Add documentation regarding authentication via identity-aware proxies

Nice to have:

• header-based auth: Add support for automatically creating users based on JWT authentication claims
• header-based auth: Create a path to migrate existing users from either built-in or OIDC authentication to "proxy" authentication.