If you want to build a web app, only accessible for a given set of users, you can use a VPN to do so. Via the VPN, only certified users can reach the endpoints of your app. The app server is not opened up to the broader internet.
A lot of things must be considered:
- Firewall settings on the server
- VPN Provider. E. g. Tailscale or self-hosted Wireguard
- Integration with other Auth providers
- Handling a domain
- Signing SSL certificates
- All possible end devices must be authorized / install the necessary client
In theory, the app then does not need other authentication than through the VPN itself.