OIDC/oAuth seems like the solution: make it somebody else's problem. But OIDC tokens can be stolen, they can change domains because of misconfiguration or bad redirect urls.