Thanks for the excellent write-up!
In the conditions you mention for the workaround, authentication is required for the whole domain. Is there a way to scope it to authenticate only the subdomain and all paths for it?
Imagine I want to run a multitenant authentication setup, and authenticate customerA to customerA.example.com/…
and customerB to customerB.example.com/…, without allowing them access to the endpoints associated with another customers subdomain.
Is this supported?