How to migrate from apache/mod_auth_oidc?

[amkearns-usgs]

We are looking to containerize applications and due to being lightweight and overall easy-to-configure, we're trying to use nginx as our main server/proxy software for our containers. Most of our applications are built in-house and use OIDC libraries as part of the application code. One exception, however, uses Apache server to manage the OIDC settings with the help of mod_auth_oidc. In trying to migrate from Apache to nginx, I'm noticing that the fields are not 1:1 between configurations.

The claim being used to validate users is upn. In apache, this seems straightforward:
OIDCRemoteUserClaim upn
I notice there is another field in the equivalent setting in the nginx extension and I am not entirely sure how it works (while I'm responsible for coding parts of these projects and deploying them, I'm not responsible for our SSO in any way). I presume it would look something like this to be equivalent:
OpenIDCClaim upn $pfc_claim_upn;
Is that correct? I am not entirely clear where this variable comes from or how it used, so I am guessing from the examples provided.

Another question I have is what the scope and token_endpoint_auth_method values represent in OpenIDCClient. These don't appear to have an equivalent in the apache configuration, though the documentation suggests the former value must have at least openid and thus must exist in the configuration.

We're still in the process of figuring things out, so the answer may well be to try to revert to Apache and the appropriate module since it's working now (though we may have some issues with SSL settings that would be outside the scope of this discussion).