I forgot to pass down the introspectionURL parameter that is required to enable authentication with opaque OAuth tokens...and found out when reviewing docs which claimed that the registry server only supports JWTs..at first I thought it was a bug in the docs, but realized I screwed up the implementation.

User impact: if the provided IDP was not fully OIDC compliant but only OAuth compliant and issuing opaque OAuth tokens, the user wouldn't be able to log in. An example is Google IDP.