@David_Foote, Please use Bearer scheme instead of bearer while sending the request.
curl -v --header “Authorization: Bearer xxxxxxxx” http://sgp2:4984/sgp-us/_session
According to the HTTP RFC 2616, header field names are case-insensitive but the OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 specifically states that all the protocol parameter names and values are case sensitive unless and otherwise specified. Sync Gateway adheres the RFC 6750 standard while serving authentication requests. In this particular case, even though OpenID Connect is enabled, the request was not routed to OIDC Implicit Flow due to the lack of “Bearer” and the request ended up in 401 Invalid Login.
Also it is worth checking the Sync Gateway config file and ensuring that the issuer specified in the provider configuration does match with the issuer in the JWT to avoid potential authentication failures during token verification.