Kubernetes Ingress - Oauth but bypass on condition

Given a kubernetes environment with nginx-ingress operator in place
And auth0 configured for Social Login
And ingress rules configured for a ‘staging’ site

When a request is made against the controller
from an ip range not whitelisted
OR not containing a special header (HTTP Basic / Token etc)
I want to redirect the user to Auth0

When a request is made against the controller
from a whitelisted Ip range OR with a valid http header bearer token
I want the request to be default allowed

Because we have automated scanning systems such as site crawlers, penetration testing systems, and so on that cannot handle oauth flows and need an escape hatch to reach our sites.
Multiple ingress services are not viable due to the overheads in configuration.

We also make urls from these sites available to ‘trusted external users’ and so need to have a mechanism to authenticate their access (hence Auth0).

So in summary;

Have a Kubernetes ingress with Auth0 oauth access control, but bypass when a token/http basic credential is included on the request.

Any ideas?