I've been reading a lot about both these technology, and I feel like I have a decent understanding of them. However, there is one important thing I don't quite seem to understand. OAuth is meant to be used for authorization, while OpenID Connect is for authentication. However, in the rfc for OAuth (https://tools.ietf.org/html/rfc6749#section-4.1) it says we have a step where we authenticate the resource owner (in the authorization code grant it's step (B)). So it seems to me we already have authentication in OAuth? What am I missing? I've been wondering if it might be that this authentication that is referenced is undefined, so OpenID Connect is just a "standard" we can plug in here?
I know OpenID Connect is what is used for when you can sign up on a service using for example your facebook login. Is it correctly understood that in this case, the service would be the relying party(OIDC lingo)/client(OAuth lingo), facebook would be the identity provider/authorization server and facebook would also the the UserInfo Endpoint/resource server? I'm especially a bit unsure about if facebook plays both these roles. In the specification it seems they are/can be played by different actors. When looking at this scenario in regards to OAuth, the resources the client is authorized to access would be information about the resource owner in order for it to "make a profile" without the user actually having to make one. Is this correctly understood?
EDIT: Is the identity provider and the authorization server even the same? Does someone perchance have a diagram that shows all the roles of both OAuth and OIDC and how they interact?
