[a huge THANK YOU to my friend Mike Jones for his invaluable feedback and advice about this long and complicated post] If there’s a question that I dread receiving – and I receive it very often nonetheless, even from colleagues – is the following: “Why can’t I provision in ACS OAuth 2.0 providers in the same way as I provision OpenID providers?” Or its alternative, linearly-dependent formulation: