Both support state and can be used as a nonce field. I think OIDC only includes a “second field” to be inline with OIDC libraries.
At time of writing both OAuth and OIDC will return an oAuth token.
OIDC returns a JWT, and provides a userinfo endpoint which isn’t rate limited like helix is.
I used a mixture of both on my products.
If I’m just logging the user into a website and doing nothing else, then I’ll OIDC, usually with their email too. And I’ll ignore/discard the oAuth token.
-
oAuthis for “offline access to an account”, the user left/navigated away your website/tool, and you need to still access thei account -
OIDCis for “login to website/tool” for a short while since the JWT that represents the user is only valid for a short while and can’t be refreshed, so you only do stuff whilst the use is actually using your tool and when they leave/navigate away, you don’t retain their auth credentials
Some usage examples:
So forum/websites logins, OIDC (with email scope).
Basic website with login, OIDC
Tools for sub alerts/notifications, oAuth (scopes as needed).