In case the OIDC provider is not reachable from the ACS Central backend, fragment and query callback methods for user authentication might still work because they do not require a backchannel between the backend and the identity provider. However, currently we only support configuring OIDC providers via the OpenID Connect discovery mechanism, i.e., .well-known/openid-configuration which requires the backend to talk to the identity provider at least once during the setup.
This prevents using privately running identity providers with ACS running on public infrastructure, like ACS cloud service. We can allow configuring OIDC provider manually to resolve this.
One workaround could be exposing/tunneling just the well-known endpoint for ACS because I think for fragment and query callback methods we don't need to contact IdP from the backend. Another alternative would be to require users to federate or expose their identity providers for ACS Central.
Originally brought up by rh-ee-dinoue.