That or just put the frontend behind a reverse proxy with sso.

SSO is about making a user account inside a service provider (e.g. TFA) which mirrors that same user account in the identity provider (e.g. Okta). A reverse proxy isn't able to write to the upstream application's user store or otherwise assert the identity of the current user to the upstream application, as far as I'm aware. It could do some kind of binary proxy-or-don't-proxy based on a valid assertion from the IdP, but the application would just attribute all traffic to a single user.

Or is there some kind of gateway standard that I'm unaware of?

Have a look at something called external, or forward auth. For example 1) Traefik: https://doc.traefik.io/traefik/middlewares/http/forwardauth/, 2) Nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/c..., 3) Envoy: https://www.envoyproxy.io/docs/envoy/latest/configuration/li....

This can be used to add whatever authn/authz you require to apps that don't even support authn/authz. I'm using Traefik ForwardAuth with Keycloak for Jaeger SSO in a couple of places.

Yes, OAuth-proxy, Nginx external auth, ...

That would be so nice. But if they’re planning to ‘add it to our enterprise plans’ then I doubt your PR would be accepted. Leaving you to manage a fork.

If they truly wanted to build an open source community around their product, the "enterprise" part would just be "we host it for you" and not "we gatekeep features that we think we can extort big companies to pay"

That is: I wouldn't hold off on a PR just because they said they're going to get around to it; if the PR works, and is merged, that's one less part they have to write. If they don't merge it, then the bad faith you're discussing will be a concrete fact and not speculation, and will serve as a warning to others not to bother submitting more PRs

Interesting points. Sounds like you've got some sound experience in the politics of open source