Environment: 

• OpenShift 4.18
• Primary SSO/IDP: Nexus Digital Access (DA).
• Identity Sources: Users are federated from:

• • Azure Entra ID.

• • MSAD.{}

• Workaround:  OpenShift OIDC -> Keycloak SAML -> Nexus DA -> Azure Entra ID

Currently, there is no functionality within the OpenShift authentication stack to enable direct authentication using Nexus Digital Access (DA) as an OpenID Connect (OIDC) provider.

The current direct OIDC integration fails due to non-standard or unsupported behavior from the Nexus DA token endpoint. 

• The Nexus DA token endpoint returns an HTML error page instead of the expected JSON response when the OpenShift OAuth server attempts the token exchange.
• Authentication for users federated through Azure Entra ID (which uses SAML with Nexus DA) fails to redirect back to OpenShift after successful authentication on the identity provider side. 
• Nexus DA utilizes a non-standard path structure that includes /https/ in the issuer URL and OIDC discovery endpoints, such as https://da.int.oden2.com/https/api/rest/v3.0/oauth/CLIENT_ID

Why does the customer need this? 

Nexus DA is the only supported SSO method within the customer's IT infrastructure (Volvo Cars). Successful integration is crucial for fitting OpenShift into the company's environment.

They currently uses a workaround involving Red Hat SSO (Keycloak) as an intermediary to handle the authentication translation: OpenShift OIDC -> Keycloak SAML -> Nexus DA -> Azure Entra ID. The primary goal is to achieve direct OIDC integration without the Keycloak intermediary

List any affected packages or components.

•  OpenShift Authentication Operator / OAuth Server Component (openshift-authentication namespace): This component is responsible for handling the OAuth and OIDC flows, including the token exchange endpoint, which is currently failing. Based from the pod logs, the `handler.go` Error gets error with access token.