Hello, I am asking you today because I am at a dead end. I have missed piece in the logic of Oauth2 and OpenID connect in apigee.

I understand that an application request Openid connect to have the profile of the loggedin user and that OAuth2 offers a way for an application to access a protected resource via an access token.

Now we take a scenario where a protected resource needs to verify that the logged in user is himself that has taken the authorization token, is this illustration that I have done here is good or I make things complicated?