diff --git a/pkg/operator2/console.go b/pkg/operator2/console.go
index 1ccebafecf..24d62b45a2 100644
--- a/pkg/operator2/console.go
+++ b/pkg/operator2/console.go
@@ -15,7 +15,7 @@ func (c *authOperator) handleConsoleConfig() *configv1.Console {
 	// technically this should be an observed config loop
 	consoleConfig, err := c.console.Get(globalConfigName, metav1.GetOptions{})
 	if err != nil {
-		// FIXME: fix when the console team starts using this
+		glog.Infof("error getting console config: %v", err)
 		return &configv1.Console{}
 	}
 	return consoleConfig
diff --git a/pkg/operator2/infrastructure.go b/pkg/operator2/infrastructure.go
new file mode 100644
index 0000000000..26fca3b260
--- /dev/null
+++ b/pkg/operator2/infrastructure.go
@@ -0,0 +1,19 @@
+package operator2
+
+import (
+	"github.com/golang/glog"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	configv1 "github.com/openshift/api/config/v1"
+)
+
+func (c *authOperator) handleInfrastructureConfig() *configv1.Infrastructure {
+	infrastructureConfig, err := c.infrastructure.Get(globalConfigName, metav1.GetOptions{})
+	if err != nil {
+		glog.Infof("error getting infrastructure config: %v", err)
+		// have a placeholder that will at least look reasonable in the token request endpoint
+		return &configv1.Infrastructure{Status: configv1.InfrastructureStatus{APIServerURL: "<api_server_url>"}}
+	}
+	return infrastructureConfig
+}
diff --git a/pkg/operator2/oauth.go b/pkg/operator2/oauth.go
index 0051a1b749..83a253ef08 100644
--- a/pkg/operator2/oauth.go
+++ b/pkg/operator2/oauth.go
@@ -6,13 +6,10 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/serializer"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 
 	"github.com/golang/glog"
 
 	configv1 "github.com/openshift/api/config/v1"
-	kubecontrolplanev1 "github.com/openshift/api/kubecontrolplane/v1"
 	operatorv1 "github.com/openshift/api/operator/v1"
 	osinv1 "github.com/openshift/api/osin/v1"
 	routev1 "github.com/openshift/api/route/v1"
@@ -20,22 +17,12 @@ import (
 	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
 )
 
-// TODO this code dies once we get our own CLI config
-var (
-	kubeControlplaneScheme  = runtime.NewScheme()
-	kubeControlplaneCodecs  = serializer.NewCodecFactory(kubeControlplaneScheme)
-	kubeControlplaneEncoder = kubeControlplaneCodecs.LegacyCodec(kubecontrolplanev1.GroupVersion) // TODO I think there is a better way to do this
-)
-
-func init() {
-	utilruntime.Must(kubecontrolplanev1.Install(kubeControlplaneScheme))
-}
-
 func (c *authOperator) handleOAuthConfig(
 	operatorConfig *operatorv1.Authentication,
 	route *routev1.Route,
 	service *corev1.Service,
 	consoleConfig *configv1.Console,
+	infrastructureConfig *configv1.Infrastructure,
 ) (
 	*configv1.OAuth,
 	*corev1.ConfigMap,
@@ -93,8 +80,7 @@ func (c *authOperator) handleOAuthConfig(
 
 	assetPublicURL, corsAllowedOrigins := consoleToDeploymentData(consoleConfig)
 
-	// TODO this pretends this is an OsinServerConfig
-	cliConfig := &kubecontrolplanev1.KubeAPIServerConfig{
+	cliConfig := &osinv1.OsinServerConfig{
 		GenericAPIServerConfig: configv1.GenericAPIServerConfig{
 			ServingInfo: configv1.HTTPServingInfo{
 				ServingInfo: configv1.ServingInfo{
@@ -123,15 +109,11 @@ func (c *authOperator) handleOAuthConfig(
 				},
 			},
 		},
-		OAuthConfig: &osinv1.OAuthConfig{
-			MasterCA: getMasterCA(), // we have valid serving certs provided by service-ca so we can use the service for loopback
-			// TODO osin's code needs to be updated to properly use these values
-			// it should use MasterURL in almost all places except the token request endpoint
-			// which needs to direct the user to the real public URL (MasterPublicURL)
-			// that means we still need to get that value from the installer's config
-			// TODO ask installer team to make it easier to get that URL
+		OAuthConfig: osinv1.OAuthConfig{
+			MasterCA:                    getMasterCA(), // we have valid serving certs provided by service-ca so we can use the service for loopback
 			MasterURL:                   fmt.Sprintf("https://%s.%s.svc", service.Name, service.Namespace),
 			MasterPublicURL:             fmt.Sprintf("https://%s", route.Spec.Host),
+			LoginURL:                    infrastructureConfig.Status.APIServerURL,
 			AssetPublicURL:              assetPublicURL, // set console route as valid 302 redirect for logout
 			AlwaysShowProviderSelection: false,
 			IdentityProviders:           identityProviders,
@@ -153,7 +135,7 @@ func (c *authOperator) handleOAuthConfig(
 		},
 	}
 
-	cliConfigBytes := encodeOrDieKubeControlplane(cliConfig)
+	cliConfigBytes := encodeOrDie(cliConfig)
 
 	completeConfigBytes, err := resourcemerge.MergeProcessConfig(nil, cliConfigBytes, operatorConfig.Spec.UnsupportedConfigOverrides.Raw)
 	if err != nil {
@@ -179,11 +161,3 @@ func getMasterCA() *string {
 	ca := serviceCAPath // need local var to be able to take address of it
 	return &ca
 }
-
-func encodeOrDieKubeControlplane(obj runtime.Object) []byte {
-	bytes, err := runtime.Encode(kubeControlplaneEncoder, obj)
-	if err != nil {
-		panic(err) // indicates static generated code is broken, unrecoverable
-	}
-	return bytes
-}
diff --git a/pkg/operator2/operator.go b/pkg/operator2/operator.go
index 1a1623fad0..71a1afd50e 100644
--- a/pkg/operator2/operator.go
+++ b/pkg/operator2/operator.go
@@ -90,6 +90,7 @@ type authOperator struct {
 	authentication configv1client.AuthenticationInterface
 	oauth          configv1client.OAuthInterface
 	console        configv1client.ConsoleInterface
+	infrastructure configv1client.InfrastructureInterface
 
 	resourceSyncer resourcesynccontroller.ResourceSyncer
 }
@@ -120,6 +121,7 @@ func NewAuthenticationOperator(
 		authentication: configClient.ConfigV1().Authentications(),
 		oauth:          configClient.ConfigV1().OAuths(),
 		console:        configClient.ConfigV1().Consoles(),
+		infrastructure: configClient.ConfigV1().Infrastructures(),
 
 		resourceSyncer: resourceSyncer,
 	}
@@ -143,6 +145,7 @@ func NewAuthenticationOperator(
 		operator.WithInformer(configV1Informers.Authentications(), configNameFilter),
 		operator.WithInformer(configV1Informers.OAuths(), configNameFilter),
 		operator.WithInformer(configV1Informers.Consoles(), configNameFilter, controller.WithNoSync()),
+		operator.WithInformer(configV1Informers.Infrastructures(), configNameFilter, controller.WithNoSync()),
 	)
 }
 
@@ -235,7 +238,10 @@ func (c *authOperator) handleSync(operatorConfig *operatorv1.Authentication) err
 	consoleConfig := c.handleConsoleConfig()
 	resourceVersions = append(resourceVersions, consoleConfig.GetResourceVersion())
 
-	oauthConfig, expectedCLIconfig, syncData, err := c.handleOAuthConfig(operatorConfig, route, service, consoleConfig)
+	infrastructureConfig := c.handleInfrastructureConfig()
+	resourceVersions = append(resourceVersions, infrastructureConfig.GetResourceVersion())
+
+	oauthConfig, expectedCLIconfig, syncData, err := c.handleOAuthConfig(operatorConfig, route, service, consoleConfig, infrastructureConfig)
 	if err != nil {
 		return err
 	}