If I'm authenticating with server A. I shouldn't have to carry ephemera from server B. A can interact with B on its own if necessary.

Bubbling up these architectural details to the front end is a symptom of the webdev cargo cult coming up with broken ideas that get fossilized as the status quo.

With OIDC, both occur: the client is redirected to the authentication server where they directly authenticate, then carries a token cross-domain back to the service. Finally, the service validates the token against the auth server.

The alternative would be something where I enter my Google username/password on random websites, and trust that they will forward it to Google and not do anything nefarious. This is less secure and less private.