This is very very very specific instance when we're using unsafe. We want being as close as possible to the k8s OIDC integration, thus we're reusing their authenticator and how they are parsing the flags
However their New() function creates the authenticator in async manner, which makes stuff tricky for us.
It's hard verifying the authenticator is initialized (you get a hard-coded error back, but you cannot make the authentication pass due to asymmetric encryption nature.)
Thus we're re-exporting two private methods to create authenticator in a sync manner, and ensure it's initialized by fetching the OIDC /.well-known/openid-configuration and letting it configure itself