feat: add doc to describe use oauth2proxy directly.

README.md

@@ -543,6 +543,67 @@ For example, running the above command locally with required packages like _pass
 
 4. Try to login using the new dex password.
 
+### Change default authtication from "dex + oauth2-proxy" to "oauth2-proxy" only
+
+![auth-flow](common/oauth2-proxy/components/oauth2-flow.svg)
+
+kubeflow platform are using istio ingress gateway as it's entrypoint. 
+
+for the authentication part ,it used to be use envoy filter to forward reqeust to dex(blue lines), and using dex as a proxy to retrive JWT token and do authentication. 
+
+with kubeflow 1.8 , it integrate with oauth2 proxy since istio provider now is indestry standard. 
+
+for the purpose of out of box, it still use dex as a identity provider, but , actually , you are now able to using oauth2 proxy to directly connect 
+to your own IdP(Identity Provider: gcp, [aws](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints-oauth-grants.html), gcp, azure and so on) 
+
+to do so , what you need to is follows: 
+1. create a application on you IdP(purple line)
+2. change your [oauth2 proxy issuer](https://github.com/kubeflow/manifests/blob/35539f162ea7fafc8c5035d8df0d8d8cf5a9d327/common/oauth2-proxy/base/oauth2-proxy-config.yaml#L10) to your IdP. 
+3. under istio-system namespace, there is a requestauthentication , you also need change it issuer to your own IdP.( or you can just directly write a new one)
+4. finally , now you can directly use issue a token from your IdP. and take thit token to access you kubeflow platform. 
+
+this feature is useful when you need to integrate kubeflow with you corrent CI/CD platform for example: Jenkins, you can now able to do m2m authentication. below is Python code example to use it.
+
+
+get JWT token From your IDP
+
+```
+import requests
+
+# idp configuration 
+token_url = "https://your-idp.com/oauth/token"
+client_id = "YOUR_CLIENT_ID"
+client_secret = "YOUR_CLIENT_SECRET"
+username = "YOUR_USERNAME"
+password = "YOUR_PASSWORD"
+# request header
+headers = {
+    "Content-Type": "application/x-www-form-urlencoded"
+}
+data = {
+    "grant_type": "password",
+    "client_id": client_id,
+    "client_secret": client_secret,
+    "username": username,
+    "password": password,
+    "scope": "openid profile email"  #change your scope
+}
+response = requests.post(token_url, headers=headers, data=data)
+TOKEN = response.json()['access_token']
+```
+
+use token to call kubeflow
+```
+import kfp
+kubeflow_host="https://your_host"
+pipeline_host = kubeflow_host + "/pipeline" 
+
+client = kfp.Client(host=pipeline_host, existing_token=TOKEN)
+
+print(client.list_runs(namespace="your-profile-name"))
+```
+
+
 ## Upgrading and extending
 
 For modifications and in place upgrades of the Kubeflow platform we provide a rough description for advanced users: