This RFE focuses on the completion of configuration options to allow the replacement of the oauth server under techpreviewnoupgrade.  This will external experimentation for ACM (single token authority for fleet) and keycloak with direct compatibility assessments with the current mechanisms.

The goal is to allow the internal oauth server to be disabled and then the rest of the cluster configured to use a different token validator. It may be possible to achieve this using something like

1. require TechPreviewNoUpgrade be set
2. allow disabling the internal oauth server and probably the oauth-apiserver from bootstrap. This is important so that for security purposes we can avoid ever enabling the oauth server.
3. allow the authentication.config.openshift.io#.spec.webhookTokenAuthenticator to be configured to a different location

or

1. require TechPreviewNoUpgrade be set
2. add fields authentication.config.openshift.io to configure the kube-apiserver oidc values
3. allow both types of tokens? Also disable the internal oauth server?

Either approach would allow a full prototype to be provided by ACM and/or keycloak to assess limitations and allow us to have confidence (or know what's broken) with the rest of the cluster when the replacement is made.