If login/Single Sign On is what you are after you are arguably better off with Central Authentication Service (CAS). It is much simpler. Unfortunately it isn't as widely known or popular.
Yep, this is why I say that oidc is vastly misused. There are much better options out there for implementing good solid, login, session flows. Using oidc as the only tool in the toolbox is a recipe for disaster.
Because the CAS protocol is deprecated? It's arguable simpler and easier to deal with and works really well, but not that well supported and that isn't likely do improve at the protocol won't evolve any future.
We're currently in the process of migrating from CAS to OIDC and so far the server side hasn't been much of an issue, but compared to CAS the clients are a little hit and miss. Authentication always works, but claims are annoying.