1. Proposed title of this feature request

Improve oc login experience for External OIDC

2. What is the nature and description of the request?

With the oauth server users can simply type in "oc login --web <cluster-api>" which will automatically open the browser to allow the user to login with a selected IdP and return a token back to the CLI.

In comparison the process for External OIDC is much more involved, the user has to know implementation details of OIDC in order to correctly pass parameters to the command. For example:

oc login --exec-plugin=oc-oidc \ 
    --issuer-url=https://keycloak-keycloak.apps.example.com/realms/master \  
{{    --client-id=oc-cli-test }}
{{    --extra-scopes=email --callback-port=8080 }}
    --oidc-certificate-authority my-directory/ca-bundle.crt

As per above the user has to know the Issuer URL, the client, the scopes and potentially have the proper certificate bundle on their system. In addition unlike `–web` this command doesn't open the browser automatically, instead the user has to open the browser manually and navigate to "http://localhost:8080".

This workflow is overly complex compared to what we already over in oauth and potentially discourages adoption of the feature. Additionally if we expand this feature out to support multiple OIDC providers it gets even more complicated.

What I would like to see is the same workflow for External OIDC as we have with OAuth and either use the `–web` command for both or have a new parameter like `--oidc-web` if we must differentiate in the CLI.

AFAIK the way this works for OAuth is that it hits an endpoint in the API to retrieve certain configuration information, starts a local web server, opens a browser which opens an endpoint provided by the OAuth pod running in the openshift-authentication namespace.

We should provide the same capability for External OIDC. However since we do not have an OAuth pod running anymore I assume this would require a new endpoint to be created to support the OIDC use case. 

In terms of workflow, what I would like to see is something along these lines:

1. Run the oc login command
2. starts up a local web server and opens a browser pointing to the local web server
3. local web server redirects you to an endpoint in the cluster
4. endpoint in cluster shows a provider list or just redirects you to the single provider
5. Login into the OIDC provider
6. Callback to cluster endpoint, gets token
7. Callback to local web server, gets token
8. oc authenticated

3. Why does the customer need this? (List the business requirements here)

The current login flow for External OIDC is overly complex and may discourage adoption of the feature. OpenShift users should not have to know intimate details of the IdP configuration in order to login with the CLI.  

4. List any affected packages or components.

External OIDC
OpenShift CLI