Add OpenShift (via a cluster scoped OAuthClient) as an authentication provider for signing in to the admin portal

When running 3Scale in OpenShift alongside other Integration products (AMQ Online & Fuse Online), I'd like to have a single source of identity so that a user can log into each of the product consoles with the same account.
Given that these products are running on OpenShift, I'd also like to leverage OpenShift as the single source of identity i.e. federate identity to OpenShift by configuring an identity provider for the 3Scale Admin Portal.

This is currently possible, but it requires the use of Keycloak as a proxy between 3Scale & OpenShift.
Currently the supported Identity Providers for 3Scale are RH-SSO (Keycloak) and Auth0.
Ideally, SSO/Keycloak is not required (for reasons below) to federate identity to OpenShift when running 3Scale in OpenShift.

Rationale for this ask:

• the login flow includes an extra step in the auth flow. This increase complexity when debugging misconfiguration issues.
• the Keycloak instance takes up extra resources in the OpenShift cluster. The intent is to deploy 3Scale in a managed environment for users. There will be a lot of clusters created and managed, each with their own instance of 3Scale. The overhead of the Keycloak instance reduces the economies of scale we can take advantage of.
• the 3Scale deployment will be managed with an SLA. To ensure we can offer a reasonable SLA, we need to run 3Scale (and all other components in the managed cluser) in a Highly Available manner. This further increases the resource usage for Keycloak.

Does generic OIDC work for OpenShift?
See THREESCALE-3064