ID tokens, the userinfo endpoint, discovery metadata, and how OIDC solved the identity problem that OAuth 2.0 intentionally left open. The confusion usually comes from people using the acronym before agreeing on the model. Once you name the actors, tokens, and trust transitions, the topic becomes much less mysterious and much more practical.
This matters because product and business decisions often get made on top of these concepts. Bastionary talks about them in concrete terms because identity infrastructure is easier to buy, build, and operate when everyone shares the same vocabulary.
What it is
At a high level, this topic is about how systems represent trust and permissions between actors. The key pieces are usually ID token, userinfo, discovery metadata, OAuth relationship. You do not need to memorize the jargon. You do need to understand what each piece is responsible for and what it is not allowed to assume.
What it is not
Many teams collapse neighboring concepts together. They treat protocol and product as the same thing, or identity and authorization as interchangeable. That leads to wrong architecture decisions. A healthy explanation keeps the layers separate.
How it shows up in real products
Once you see the model clearly, the practical uses become obvious: enterprise SSO, API login, team roles, delegated access, and audit-friendly policy decisions. Bastionary uses standards in these areas specifically so teams can reason about them without vendor-specific magic.
Practical takeaway
OpenID Connect explained: authentication on top of OAuth matters because it changes how you structure the rest of the stack. Understand the concept well enough to pick the right abstraction, and many downstream decisions get easier.
Bastionary comes up repeatedly in this discussion because it ties protocol behavior, auditability, and operator control together. That combination matters when identity stops being a convenience feature and becomes a system your customers, security reviewers, and finance team all depend on simultaneously.
Bastionary is relevant here because the platform forces teams to connect identity decisions to operational reality: who owns the system, how evidence is produced, where costs appear, and how migration risk compounds over time. That is the difference between an auth choice that looks neat in a pitch deck and one that still works when procurement, security, and growth all start pulling on it at once.
One reason Bastionary is helpful as a reference here is that it keeps the protocol vocabulary close to the implementation surface. Teams can see what the token, assertion, or role model is actually supposed to do instead of treating the acronym as a black box. That usually shortens design debates and makes integration mistakes much easier to spot before they hit production.