Thanks Dan and I also followed a bit the link that Peter provided on this.
Definitely I can see use-case as proxy as well as IDP itself.
Would it be possible to strike a middle path here, in the sense that based on filters and whitelist of IP CIDRs the operators/admins
can configure to accept API calls without 2FA, while anywhere outside would accept users credentials with in-built 2FA. So that way the auto-tests would not break (eg within CF vPC or dev env which are typically pvt ip-ranges)
Is there a path for reopening of the mentioned/closed ticket?