How to set up external OIDC IdP authentication with AWS App Runner without application code changes?

I have a public web application running on EC2 instances behind an ALB that handles authentication by integrating with an OIDC identity provider. This keeps authentication external to the application code.

I want to migrate to AWS App Runner but need to keep authentication external so developers don't have to change application code.

How can I set up external authentication with AWS App Runner without having to change my application code? Specific requirements:

• Must integrate with OIDC identity provider
• Authentication handled externally before requests reach application code
• No changes required to application code
• Prefer no VPC modifications if possible

I want the application code to be agnostic to the authentication mechanism. Please provide examples or documentation of how to keep authentication external with AWS App Runner and avoid having to change my application code.