...
In V3.3+ of the plugin, the support for plain OAuth2 authorization requests can be controlled via idp.oauth2.requireAuthenticationRequestPredicate property. In order the default behaviour as before V3.3, the property value defaults to a predicate shibbilethshibboleth.Conditions.TRUE, meaning that OIDC authentication requests are always required. One principal requirement for an OIDC authentication request is to include openid in the requested scopes. If the predicate is configured to return false, then non-OIDC requests are enabled. For these RPs, one must configure at least one audience in the RP metadata for controlling the target audience of the access tokens. See audience claim in OAuthRPMetadataProfile .
...