OpenID Provider(AM)End UserUser-AgentEnd UserUser-AgentRelying PartyRelying PartyAuthorizationServerAuthorizationServerUserInfoEndpointUserInfoEndpoint1Prepare authentication request2Redirect...3...for authentication4Authenticate end user and confirm resource access5If credentials are valid, redirect...6...with authorization code and ID token to redirect_uri7Store authorization code. Validate ID token and get subject ID8Provide servicesWhen required (before authz code expires)9Authenticate, request access token with authorization code10If authorization code is valid, return access token11Request additional claims with access token12Return additional claims13Provide additional services