I am asking you today because I am at a dead end. I have missed piece in the logic of Oauth2 and OpenID connect in apigee.
I understand that an application request Openid connect to have the profile of the loggedin user and that OAuth2 offers a way for an application to access a protected resource via an access token.
Now we take a scenario where a protected resource needs to verify that the logged in user is himself that has taken the authorization token, is this illustration that I have done here is good or I make things complicated?
From my understanding, what you have missed is the introspection endpoint.
This endpoint is designed for resource servers. It allows them to get details about the access token used by the client. If the access token is active, you will receive claims about it and especially the
sub
claim that represents the resource owner (i.e. the user in your use case).