I'm linking the same PR here as for AEROGEAR-9009, as I believe that covers the oauth-proxy requirement. In that configuration, the oauth-proxy is configured without Subject Access Review, so any user that can authenticate to the OpenShift cluster can login to UPS. By definition, that should also mean the operator, since that will have its own token.

If there are other requirements for the variant stuff, then those will likely become more clear when that's being implemented.