Thanks for the reply!
I found this discussion which asked about pretty much the same thing.
One simple solution could maybe to allow passing a certain set of sysadmin-configurable environment variables between the front-end Apache authenticating instance and the nginx PUNs?
It would certainly be a valuable addition to the feature set, given that many authentication backend provide contextual information about authenticated users (email address, group membership…) that could be certainly be handy and useful in custom PUN applications.