A really good job.

Hello,
Good job.
Works like a charm.
And the JWT allows the proxy and the WP to be on separate machines without impeding security and without the need to use PKI.

A few suggestions nevertheless:
1. priorizing the attributes’values coming from the directory (through the id_token) against WP own values [1];
2. giving the possibility to fill in other profile’s attributes (firstname, lastname, social networks profiles, etc).

[1] Above all the role MUST be set by the directory not by another user be it an administrator. That means there SHOULD exist a mean to override the user attributes or, at least, there exist a flag to do so.
IAM is a too serious thing to be let in WP administrators’hands ??
db