My one fear with this is offline authentication. I enjoy oauth/oidc a lot, but it doesn't have mechanisms for machines to continue to be able to authenticate while offline, like the way ldap/kerberos can do.

Is this just for machines that will always be online? I can understand that usecase but :/

EDIT: Okay, one comment, mentions himmelblau an alternative to authd, which seems to be more mature. Himmelblau has docs about offline usage. It looks like it has an emergency config that can use a cached password from the oidc provider,

Single-factor authentication (SFA-only) users and Hello-PIN users already have offline sign-in capability

Hmmm. Okay. Upon doing further reseach, it looks like offline authentication is exclusive to Microsoft Entra ID. :/