Vault OIDC provider /authorize endpoint permission denied

Hi all,

I’m looking at using the Vault OIDC provider’s /authorize API directly without using the Vault UI, ie. calling
/v1/identity/oidc/provider/<name>/authorize instead of /ui/vault/identity/oidc/provider/<name>/authorize.

This is essentially what the UI itself calls when doing sign-on.

However, apparently this /authorize endpoint does not work without providing a Vault token.

curl \
    --request GET \
    -G \
    -d "response_type=code" \
    -d "client_id=$CLIENT_ID" \
    --data-urlencode "scope=email openid profile groups" \
    --data-urlencode "redirect_uri=$CALLBACK_URI" \

The only relevant example I found here uses the X-Vault-Token header.

My question is, why does using the authorization endpoint require authorization?

Please advise,