How to verify which resources each user can access with OAuth and OpenID Connect?

Question

Suppose we have some RESTful API whose resources we want to expose. End users will work with this API through client applications like mobile apps and Javascript based clien

Answer 1

You are right, OAuth is NOT an authentication protocol but rather a delegation protocol.

OpenID Connect adds two notable identity constructs to OAuth 2.0's token issuance model.

• an Identity Token - the delivery of which from one party to another can enable a Federated Identity SSO user experience

• a standardized identity attribute API - at which a client can
  retrieve desired identity attributes for a given user.

The ID TOken can be presented to the userinfo_endpoint to obtain the information and provides level of assurance that the user has been authenticated by the OpenID Provider.

BTW: The "sub" ie only unique within the context of the Authorization Server. It is recommended IF you store the sub you also store something like iss-sub. The thoughts are tsmith at Google may not be tsmith at Twitter