Description

To enable Console to authenticate against multiple external OIDC providers, a new configuration flag is required. The Console must be able to read provider definitions from a file and validate its usage against existing auth flags.

Scope

• Add support for --user-auth-oidc-providers-file

• Define and validate the ConsoleExternalOIDCProviders schema

• Enforce:
  • Only valid when --user-auth=oidc
  • Mutually exclusive with existing {}user-auth-oidc{-}* flags

• Load providers at startup

• Feature-gate the behavior

Acceptance Criteria

• Console accepts --user-auth-oidc-providers-file

• Provider file is parsed and validated

• Invalid flag combinations are rejected

• Existing single-provider flags remain unchanged when feature gate is disabled

• Behavior is gated by ExternalOIDCMultipleIdPs

Non-Goals

• UI changes

• Operator changes

• Runtime hot-reload of providers