I run my Hass instance behind an nginx reverse proxy that uses oauth2_proxy to let users authenticate with Google for example. This way I can authenticate once and I have access to everything in my network, that sits behind the proxy, including Home Assistant. This works great and allows me to let less tech savvy relatives to access Hass securely without having to remember a new password. Furthermore, it doesn’t look like Hass so arguably gives a potential attacker less motivation.
The problem is that with the new authentication module I basically have to log in twice, once with Google and then username and password in Hass. Grafana has a nifty feature that lets you pass in a header with the username from the proxy and automatically log the user in.
The idea would be to add a new authentication module based on headers, where my nginx reverse proxy could connect to Hass sending a header “hass_user: tom” to log the user in using a different authentication module.