kube-apiserver should wire authentication/cluster's .spec.oidcProviders configuration instead of still need setting apiServerArguments oidc flags via unofficial unsupportedConfigOverrides.

$ oc version
Client Version: 4.16.0-0.nightly-2024-01-24-031529
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: 4.16.0-0.nightly-2024-01-23-185225
Kubernetes Version: v1.29.1+0e0d15b

Always

1. Enable BYO auth feature in the OCP env:
$ oc patch featuregate cluster --type=merge -p='{"spec":{"featureSet":"TechPreviewNoUpgrade"}}'

2. Create BYO OIDC with Keycloak:
$ oc new-project keycloak
$ oc process -f https://raw.githubusercontent.com/keycloak/keycloak-quickstarts/latest/openshift/keycloak.yaml \
    -p KEYCLOAK_ADMIN=admin \
    -p KEYCLOAK_ADMIN_PASSWORD=admin \
    -p NAMESPACE=keycloak \
| oc create -f -

$ KEYCLOAK_HOST=https://$(oc get route keycloak --template='{{ .spec.host }}')
$ echo $KEYCLOAK_HOST
https://keycloak-keycloak.apps....

3. Visit $KEYCLOAK_HOST/admin page, create client "openshift-test-aud", set its "Valid redirect URIs" to be http://localhost:8080/ and create a user xxia and set password.

4. $ curl -sSk "$KEYCLOAK_HOST/realms/master/.well-known/openid-configuration" > oauthMetadata
$ oc create configmap oauth-meta --from-file ./oauthMetadata -n openshift-config
configmap/oauth-meta created

$ mkdir -p router-ca
$ oc extract secret/router-ca -n openshift-ingress-operator --to router-ca --confirm
$ oc create configmap keycloak-oidc-ca --from-file=ca.crt=router-ca/tls.crt -n openshift-config

5. Configure BYO auth:
$ oc patch authentication.config cluster --type=merge -p="
spec:
  oauthMetadata:
    name: oauth-meta
  oidcProviders:
  - claimMappings:
      groups:
        claim: groups
        prefix: ''
      username:
        claim: email
        prefixPolicy: ''
    issuer:
      audiences:
      - openshift-test-aud
      issuerCertificateAuthority:
        name: keycloak-oidc-ca
      issuerURL: $KEYCLOAK_HOST/realms/master
    name: keycloak-oidc-test
  type: OIDC
  webhookTokenAuthenticator: null
"
authentication.config.openshift.io/cluster patched

6. Wait about 15 mins for KAS pods to restart and get Running.

7. Then run:
$ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --insecure-skip-tls-verify
It outputs:
Please visit the following URL in your browser: http://localhost:8080

8. Open http://localhost:8080 in browser, it directs to Keycloak page. Input user and password successfully.

After step 8, sometimes it shows "Authorized" and "You can close the window", but sometimes the successful login page closes automatically.

And then step 7 outputs:
[xxia@2024-01-24 21:56:11 CST external-oidc-test]$ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --insecure-skip-tls-verify
Please visit the following URL in your browser: http://localhost:8080
Login failed (401 Unauthorized)
Verify you have provided the correct credentials.
[xxia@2024-01-24 21:56:55 CST external-oidc-test]$

After checked KAS pod logs, found below, not sure if it is related:
2024-01-24T13:56:50.597541541Z E0124 13:56:50.597447      16 authentication.go:73] "Unable to authenticate the request" err="invalid bearer token"

But checked id_token, seems id_token is good:
$ cat ~/.kube/cache/oc/dae0561683bc... | jq -r '.id_token' | jq -R 'split(".") | .[] | @base64d | fromjson'
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "..."
}
{
  "exp": 1706104669,
  "iat": 1706104609,
  "auth_time": 1706104609,
  "jti": "f3656618-7a2d-4658-9116-02db65c8fd43",
  "iss": "https://keycloak-keycloak.apps..../realms/master",
  "aud": "openshift-test-aud",
  "sub": "2f2ba6a8-e73f-4e31-babe-fb46c5b609ea",
  "typ": "ID",
  "azp": "openshift-test-aud",
  "nonce": "Wqdhigi6PSbJyCEHLqlP7p3l62IdOnS93EAw95AxP4M",
  "session_state": "0e3a1f6a-4363-4a75-a037-286f03c009ff",
  "at_hash": "WJTuBmdeTDLW-QS_5FJHyQ",
  "acr": "1",
  "sid": "0e3a1f6a-4363-4a75-a037-286f03c009ff",
  "email_verified": false,
  "name": "Xingxing Xia",
  "preferred_username": "xxia",
  "given_name": "Xingxing",
  "family_name": "Xia",
  "email": "xxia@redhat.com"
}

Only after manually set apiServerArguments oidc flags via unofficial unsupportedConfigOverrides, step 7 then could succeed without error, as below detailed steps:
$ oc patch cm -n openshift-config-managed default-ingress-cert -p '{"metadata":{"namespace":"openshift-config"}}' --dry-run=client -o yaml | oc apply -f -

$ oc patch proxy cluster -p '{"spec":{"trustedCA":{"name":"default-ingress-cert"}}}' --type=merge

$ oc patch kubeapiserver/cluster --type=merge -p="
spec:
  unsupportedConfigOverrides:
    apiServerArguments:
      oidc-ca-file:
      - /etc/kubernetes/static-pod-certs/configmaps/trusted-ca-bundle/ca-bundle.crt
      oidc-client-id:
      - openshift-test-aud
      oidc-issuer-url:
      - $KEYCLOAK_HOST/realms/master
"

Wait 15 mins for KAS restart, then repeat step 7:
$ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --insecure-skip-tls-verify
Please visit the following URL in your browser: http://localhost:8080
Logged into "https://api....:6443" as "https://keycloak-keycloak.apps..../realms/master#2f2ba6a8-e73f-4e31-babe-fb46c5b609ea" from an external oidc issuer.

You don't have any projects. Contact your system administrator to request a project.

But given authentication/cluster .spec.oidcProviders already sets oidc flags, why kube-apiserver not pick up the setting?

After step 8, it should always show "Authorized" and "You can close the window", should not encounter that the successful login page closes automatically sometimes.

And kube-apiserver should automatically pick up authentication/cluster .spec.oidcProviders to let step 7 login successfully, without the need of manually setting oidc flags again via inofficial unsupportedConfigOverrides.