John Frizelle For push we use the binding to gather the sender tokens from Firebase and APNS. UPS uses these for its internal processes and mobile-services.json embed that information for the phone as well. I don't think there is a way to get around this one.

Likewise, with keycloak it is not alway public, sometimes you might want to have bearer only from the phone. This would be a situation where you were using third party tokens and weren't going to prompt for a log in screen (think the account picker).

I don't think metrics or data sync have any needs at the moment.