It happens that you need to somehow forward public keys to the server.

OpenSSH has an interesting mechanism - executing an application to obtain a key for a specific user - AuthorizedKeysCommand

But there is a small caveat here - the user must already be logged in.

In general, add the following to /etc/ssh/sshd_config:

AuthorizedKeysCommand /usr/local/sbin/iam-ssh-auth
AuthorizedKeysCommandUser nobody

I ended up with this strange script:

#!/bin/bash

if [ $# -ne 1 ]; then
    echo "Usage: $0 userid" >&2
    exit 1
fi

if [ -f /etc/default/iam-ssh-auth ]; then
    . /etc/default/iam-ssh-auth
else
    echo "Could not find config file" >&2 
    exit 1
fi

userid=$1

if [ "$IAM_SSH_LOCAL_KEYS" = "YES" ]; then
    keyfile="/var/lib/keys/${userid}.pub"

    if [ -f $keyfile ]; then
        cat $keyfile
    fi
fi

if [ "$IAM_SSH_API_KEYS" = "YES" ]; then
    if [ ! -z "$IAM_SSH_API_ADDR" ]; then
        curl -s -H "Content-Type: text/plain" ${IAM_SSH_API_ADDR}/iam/host/$(hostname -f)/${userid}
        curl -s -H "Content-Type: text/plain" ${IAM_SSH_API_ADDR}/iam/host/global/${userid}
    fi
fi

Actually, here you can use authorization through local files and/or go to the API to get what you need.