I have a Coder instance that is presently happily sitting behind an AWS ALB using the AWS Cognito integration for authentication. This links to my IDP and so all connections through to Coder are authenticated before any service that I run is exposed to the internet. I believe this configuration is commonly called an "Identity Aware Proxy", though the proxying action is very transparent and is part of the ALB.

(This is independant of Coder itself being set up for OIDC separately with the same IDP).

This works brilliantly in the browser, but not so much for Coder workspaces that are not in the same private VPC network as the Coder server, as if they want to be able to call back to Coder via the external ACCESS_URL, they can't get past the authentication requirement.

I can bypass this by using simple methods like IP whitelisting (not possible for my use case) or a header, e.g. a bearer token authentication.

Is there any way to get the Coder agent to send along an additional header that I can use to secure the connection and bypass the need to redirect to browser-interactive SSO?

Failing this, what is the general recommendation for securing a Coder instance exposed to the raw Internet? Is running a WAF with some automatic detection package generally recommended?