I've seen a SaaS app team who couldn't implement OIDC because their login screen is actually some kind of maven plugin (so they don't control it). They can't move to the latest version of that plugin that does supports OIDC, because that needs the latest Maven version. They're using a BPE (process engine), though, that is end-of-life and won't work with the latest Maven.

They're in dependency hell. So we put their whole app behind a proxy that does our SSO.