In 4.8, the kube-apiserver was [wired to call the TokenReview API provided by oauth-apiserver|https://github.com/openshift/cluster-authentication-operator/pull/304.] This makes our custom carry patch to authenticate oauth users unnecessary and makes us align with upstream again. Moreover, it adds the possibility to different another token reviewer. This epic is about exploring how to wire in OIDC providers like Keycloak into OpenShift in place of oauth-apiserver. It explores the remaining gaps in functionality in such a setup that we have to fill to completely replace oauth-server+apiserver without sacrifying existing functionality (e.g. oauth-proxy based SSO).