Granting temporary access into ziti network

Hey friends - I wanted to ask this question to see if this idea would be possible but also as a way to archive it for later as these ideas keep distracting me from my current openziti POC

End goal: I can share an http link with someone to access a resource in my ziti network which only they could use (or the link can be used once) and will eventually expire. The user shouldn't need to install or configure any extra software (i.e. not tunneler client).

Rough impl:

1. The user clicks a link
2. A "guest" identity is generated with some TTL
3. A token is stored on the client
4. All calls to the resource are proxied via another host that can tunnel the traffic using the user's provided identity token

Is this possible? Am I violating some fundamental principle here by introducing a hop before tunneling traffic? Is there a better way to achieve the end goal?

This sounds really close to what zrok does. It's not single use and it doesn't expire, but much of the idea sounds like it overlaps to me.

Have you had a look at zrok yet? It's used OpenZiti for secure connectivity and the shares are ephemeral if you want. They only last as long as the zrok share is active.

It sounds like it'll cover a lot of what you're looking for?

I've been reading through some of the recent threads and it sound like zrok might do the job, will investigate that lead further, thanks!