[JoeBOFH]

So how would this help in this case? The oauth info would’ve just been in the csv or in someone’s env file.

[sofixa]

With OIDC, the "info" would be just a URL with the public signing keys that the server accepts as legitimate signers.

The server still does authorisation on top. And unless you control the private keys, you cannot mint JWTs that are accepted as legitimate.

So the "info" leaking is really not a problem.