Lib is currently broken with itsdangerous 2.1, since it apparently used the JWT wrappers (like we did). At a glance, though, it hasn't had an update in several years. Worth looking to see if there is a better option at this point.

The itsdangerous-related breakage and puiterwijk/flask-oidc#138 are the most concerning ones here for me. The primary developers have not been communicative on issues for years now, which makes me think the project is dead in the water.

At this point, since we'll plan on putting in a more generic OAuth2 authenticator and flow, I think it's safe to put a pending deprecation warning on the OIDC pieces. They currently work, if the calling app is willing to do the work of pinning various requirements.