Description

Console authentication logic must be updated to support multiple external OIDC providers, including per-provider issuer URLs, client credentials, scopes, and callback handling.

Scope

• Update auth initialization to register multiple providers

• Ensure correct redirect and callback handling per provider

• Ensure token validation works correctly for all configured issuers

• Preserve existing single-provider behavior when feature gate is disabled

Acceptance Criteria

• Console supports multiple issuer URLs and client configs

• Auth redirects are provider-specific

• Callbacks are handled correctly per provider

• Single-provider behavior remains unchanged without the feature gate

• Behavior is gated by ExternalOIDCMultipleIdPs

Non-Goals

• Provider selection UI

• Changes to Kubernetes API authentication

• Supporting per-user provider switching post-login