OpenID Connect would have been superb without the annoying notion of html redirect. I despised OAuth2 for that, I jumped on the specifications of OpenID Connect thinking it would have a good answer, and I wasn’t pleased to see that it’s still there. So either vendors have an interest in keeping things that way, or there was an oversight. The latter is implausible, so it’s got to be the former.