Tracking support for full private Sigstore setup with model validation controller and custom OIDC provider

[SequeI]

Summary

This issue is meant to track the enhancements and fixes being done upstream to support running a fully private Sigstore instance alongside the model validation controller, with compatibility for a custom OIDC client, such as Keycloak.

Goals:
Enable the use of a custom OIDC issuer and client (e.g. Keycloak) with proper audience handling.

Allow the trust configuration to work end-to-end without hardcoding assumptions like sigstore as the audience/client ID.

Ensure the model validation controller can interoperate smoothly with a private Fulcio/Rekor/TSA stack.

Support standard OAuth redirect flows to improve compatibility with modern OIDC providers (Google, Keycloak, etc.).

Dependencies & Related PRs:

• Default audience claim to client ID for more flexible auth
  Signing: hardcoded audience value won't allow a custom sigstore clients audience claim sigstore-python#1401
  feat:(oidc) derive audience claim from client_id in IdentityToken sigstore-python#1402
  ci: ambient credential tests fix sigstore-python#1416
• Client ID support in Model Transparency
  Add support for custom client_id and client_secret for OIDC authentication model-transparency#474
  feat: add CLI options for client_id and client_secret model-transparency#475
• Add --oauth-force-oob flag to control OOB behavior
  --oauth-force-oob should be configurable (currently defaults to manual flow and breaks OAuth with providers like Google) model-transparency#470
  feat(oauth): add --oauth_force_oob flag to support manual OAuth flow model-transparency#471
• Update documentation for running with private trust config and OIDC provider
  feat: adding trust_config parameter for private sigstore instances model-transparency#460
  internal docs - Awaiting upstream merges to solidify before writing a full source of truth for this repo and actual documentation.
• Conformance testing to validate support for non-sigstore OIDC clients
  Awaiting further PR merges before adding tests to this repo and model transparency
• Make it possible to use a private Sigstore instance
  Add support for using a private Sigstore stack model-transparency#208
  feat: adding trust_config parameter for private sigstore instances model-transparency#460
• Add backwards compatibility for P384/SHA256
  Align Client Fallback Behavior for Deprecated ECDSA Algorithms in v3 Bundles sigstore-python#1415
• Investigate TSA validation issue

This issue will serve as a central tracker for anyone wanting to deploy a self-hosted Sigstore setup without relying on the public infrastructure.