@caspicat @ryanc No, the other way around: the proxy would generate a token based on a secret, so the value passed back to the app server can't be forged by the attacker.
But again: this would be in all likelihood a **BAD SOLUTION** because authn decision still would be made by a component that has incomplete information about exactly what should be authn'd and how! If you think about previous examples the rev proxy would generate a valid JWT just as it generated a True value because it interpreted the URL's differently than the app server.