Also worth noting that the OIDC “Implicit Flow” does increase the surface area for CSRF attacks and token exposure:
I think it can still make sense for some situations. But it seems like the Authorization Code flow (Discourse’s default) with PKCE (optional in Discourse) is the most-recommended way to use OIDC.
So it may be worth reconsidering this statement:
Is switching to the OIDC implicit flow, and therefore transmitting all your user information via the client, really an improved security posture? 