Why do we need client credentials if I sign in with a user who gives consent? and when are these client credentials used?
Your app needs to prove its identity when requesting an access token.
In the authorization code flow, they are used together with the authorization code to get an access token after the user is redirected back to your app.
When is openID used and when is Oauth 2.0 used in the flow?
OpenID Connect adds authentication to OAuth which is focused on authorization. So when you redirect the user to login, you are using OIDC. Then when you get the access token by exchanging credentials, you are using OAuth. (This is my understanding at least)
Is there a difference between the ID token and the access token? if so, what is that difference and why do we need both? Is ID token the one I get when I sign in, and access token is what I get when I request access to an API?
Yes. Though they are similar in certain ways. An Id token is given after login (if you asked for one). It is meant to identify a user and be used by the app which requested authentication. It contains claims like the user's display name. An access token is requested by an app, but it is not meant to be read by that app. It is meant to be attached to requests to another API, which then validates the token and gets the caller's information from it. Your understanding is correct.
