Looks like some issue in your Op Provider oidc.surfconext.nl . Though it has a registration_endpoint but seems it does not allow dynamic client registration. And throw "Forbidden error". You may need to check why your op provider's registration_endpoint (https://oidc.surfconext.nl/register) throws "Forbidden error".
The oxd Wordpress Plugin does not ask for Client ID and Client secret because it finds registration_endpoint in the OP's .well-known/openid-configuration endpoint and trying for Dynamic Registration which gets "You don't have permission to access /register on this server." as response from the OP.
If you have admin access to your OP Provider oidc.surfconext.nl, you may disable registration_endpoint after which oxd Wordpress plugin will ask to manually enter ClientId and Client Secret.
We may need to modify the plugin, if you have no admin access to the Op Provider to disable "registration_endpoint" or Investigate/fix why "registration_endpoint" throws Forbidden error.
Regarding your log files from Google Doc
- Step 2: register OXD client with OP URL: well know endpoint
The OP host url you have provided is not a valid Op Host url. And it got Sucessfully registered because application tried to search registration_endpoint
from https://ophosturl/well-known/openid-configuration (https://oidc.surfconext.nl/.well-known/openid-configuration/well-known/openid-configuration)
And as the plugin could not find the registration_end point from https://oidc.surfconext.nl/.well-known/openid-configuration/well-known/openid-configuration, it considered that OP does not support dynamic registration and asked for Client ID and Client Secret.
So in Summary step -2 in the Google doc , will never work due to invalid Op host url
- Regarding - Working config on old server
Have you tried to Register Site using old oxd server and Op Host URL https://oidc.surfconext.nl ? If you try to register Site using old oxd-server and Op Host URL https://oidc.surfconext.nl
you will get same "Forbidden" error due to some settings in your OP.