Phabricator behind an Identity-Aware Proxy (IAP)

We’re currently investigating the possibility of putting Phabricator behind an Identity-Aware Proxy (such as https://cloud.google.com/iap/ ) so our employees can access Phabricator securely without needing to be on a VPN, while Phabricator itself is not exposed to the internet.

We’ve had a quick attempt at this ourselves (which can be seen at https://github.com/thought-machine/phabricator/pull/12), but it really feels like we’re working at odds with the Phabricator Auth Provider mechanism.

IAP works by providing a signed JWT to the underlying application. Decoding this JWT provides information about the logged-in user. We’re currently mapping this as an External account but there are some weird bits, like registration, login etc that just don’t seem to apply.

Are we going about this the right way, or is there a different / better level to hook into?

Thanks!