BYO oc login does not honor KUBECONFIG's certificate-authority-data

$ oc version
Client Version: 4.16.0-0.nightly-2024-01-24-031529
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: 4.16.0-0.nightly-2024-01-23-185225
Kubernetes Version: v1.29.1+0e0d15b

Always

Set up env and run step 1 ~ 6 of https://issues.redhat.com/browse/OCPBUGS-27857 .

Then run step 7:
$ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080

It hits:
error: oidc authenticator error: oidc discovery error: Get "https://keycloak-keycloak.apps..../realms/master/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority
error: oidc authenticator error: oidc discovery error: Get "https://keycloak-keycloak.apps..../realms/master/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority
Unable to connect to the server: getting credentials: exec: executable oc failed with exit code 1

But the route https://keycloak-keycloak.apps..../realms/master/.well-known/openid-configuration indeed just uses router CA which is already included in KUBECONFIG's certificate-authority-data.

If I extract KUBECONFIG's certificate-authority-data and use it explicitly for oc login with --certificate-authority, then no such error:
$ grep certificate-authority-data $KUBECONFIG | grep -Eo "[^ ]+$" | base64 -d > certificate-authority-data-origin-xxia-1.crt

$ oc login --exec-plugin=oc-oidc --client-id=openshift-test-aud --extra-scopes=email,profile --callback-port=8080 --certificate-authority=combined-certificate-authority-xxia-1.crt
Please visit the following URL in your browser: http://localhost:8080

7. BYO oc login does not honor KUBECONFIG's certificate-authority-data

7. BYO oc login should honor KUBECONFIG's certificate-authority-data, should need not explicitly extract and use KUBECONFIG's certificate-authority-data with --certificate-authority flag.