OpenID Connect is an extension of OAuth2. An OAuth2 server which implements OpenID connect is a so called OpenID provider (OP). The client of an OpenID connect server is called Relying Party (RP).
OpenID Connect offers the possibility to retrieve user profile information beside the access token defined within OAuth2. The user information is delivered within the payload of the id_token or within the access_token.
The following steps are the flow of the authorization code flow of an OP
- The RP open the app and clicks login
- The app starts an authorize request by opening the website which is defined within the authorization endpoint and specifies a redirect url
- The user fills in username and password or any information the OP needs to authorise it's user
- After the user click's continue on the login page the OP will redirect to the url specified in 2. and add an authorization code as a parameter to the redirect url
- The app fetches the authorization code and calls the token endpoint with the grant_type "authorization_code" to obtain an access token
- The OP will reply with an access token, refresh token and a lot of other field defined in oauth2 spec
- The app could now use the access token to authorize the logged in user
- Within the access token or as a separat id token the app could extract user profile information delivered by the OP