ZegnatNote that from a security perspective, any user with access to plugins or the theme can be allowed to authenticate as the root site. Since they are in charge of chosing the auth endpoint anyway and could swap it out for one that lets them do it.
