If you use e.g., "Sign in with Google" today, you get redirected to your web browser, log in, and get redirected back to the client. This means you can use the saved passwords of your browser, and if already logged in there, you just have to click "continue" instead of logging in again.

With MAS, every login works like that. If you click "sign in", instead of getting redirected to Google, you get redirected to the website of your homeserver, where you can login and authenticate before being redirected back to the client.

The primary benefit of using a standard OIDC flow is that your authentication server can easily add support for passkeys, webauthn, TOTP or captchas, without having to wait for every single client to support these features.

While matrix.org uses MAS for this, providing the same login features as it used to, your organization might want to use Keycloak to connect their homeserver directly to LDAP.

The downside is that you need a full browser to authenticate this way.