Implicit Grant type flow sends tokens over HTTP before any confirmation with the client occurs. This method has been deprecated by many organizations due to the unnecessary risk. There is a better way with Authorization Code Grant. This is the method recommended by OAuth.
This page https://docs.sophos.com/central/partner/help/en-us/Help/SettingsAndPolicies/SophosSignin/OpenIDConnectIDP/index.html#use-google-workspace-as-an-identity-provider was updated in 2023 and still states that the old, broken method is a requirement.
Does this indicate that Sophos is no longer performing any development or maintenance to support federated Central logon? If it is being abandoned, the customers should be properly advised.
