There are RHDH specific sign-in resolvers that we maintain here and add on top of the upstream auth providers here. In order to decouple the auth provider plugin from the RHDH backend, we need to create our own auth providers in rhdh-plugins and provide them as dynamic plugins in the overlay repo to support this. 

This needs to be done for the following 2 auth providers

• auth-backend-module-oidc-provider (see next section on how to handle this)
• auth-backend-module-oauth2-proxy-provider

• • for more context, the `oauth2ProxyUserHeaderMatchingUserEntityName` resolver was created as a result of this bug

Creating a separate OIDC auth provider for each IdP:

In the upstream docs it recommends: “If your organization uses Keycloak, you would re-badge the OIDC provider as Keycloak and tell users to Sign In using Keycloak.” RHDH should follow this pattern and create a separate plugin for each auth provider, especially if we’re making them dynamic.

Need an auth plugin for:

• Keycloak
• Ping Federate
• Also maintain a vanilla OIDC provider same as upstream with preferredUsernameMatchingUserEntityName

Background/Feature Origin

This is a prerequiresite for Decouple the RHDH backend from authentication module plugins RHDHPLAN-933

Why is this important?

These RHDH sign-in resolvers are more secure and cater to our specific customer needs.

Documentation Impact

We may need to update the auth provider plugin names in the current docs - TBD