This has been a super long time. Have you made progress here?
We used to sorta implement this with the Sandbox. We have a custom auth provider that validates JWTs. However, we passed the JWT into https://myserver:7473/ (which our proxy handled instead of passing that URL into Neo4j). On that page, we set the browser Local Storage objects with the credentials on that host, which were then picked up by the browser when we redirected to the browser.
I think that if there was a url on the browser's HTTP(s) endpoint that accepted bolt URL, username, password, and a next URL, that a lot of this would be easier for customers.
This could almost accomplished with an unmanaged server extension but I'm not sure if there is an option for those extensions to respond without authentication. Do you know if there is?
In any case, I think this would go a long way to making Neo4j more accessible inside an enterprise environment.
Have also considered writing an HTTP+BOLT proxy to facilitate all of this. I guess that's what you did for the Sandbox. Before BOLT came around, we did this for the HTTP(s) endpoint and it worked pretty well, since our app could decide whether to send the request to neo4j based on the session state that it already has. BOLT makes this a bit more complicated.
It looks like Nigel Small put a PoC for this together in python:
Just responded to @d.murali in another thread, but there is a way to pass in credentials for the browser.
Take a look here:
I haven't yet tried to do this with a JWT, but I don't see why it wouldn't work. Certainly would be more secure (due to time limitation) than passing a password.