I am developing a Web API which will back several applications: a website, a companion mobile application(s) and possibly several third-party applications. Every application is expected to get an access token from auth server and then feed it to the API, user will enter their credentials either on auth server web interface (for third-party applications) or directly in the website or app (for "trusted" applications). The client apps themselves are not expected to require user identity.
I've started implementing it via OAuth 2, and it matches my use cases exactly. But later I found several discussions in the 'net that sent me thinking whether my scenario really requires OpenID Connect, and now, after a few thousands of words read I still cannot grok which one is better for my case.
(For example, GitHub, which roughly matches my use cases, uses OAuth 2)
I'd like to hear some guidelines on how does one choose whether one's API requires OAuth 2 or OpenID Connect.
Update
What confuses me is the following: there is a valid point in not using OAuth for authentication. But consider this case (assume that there's a simple business rule: each user can see only their own documents):
- app goes to auth server for token
- user authorizes the app, so the token is granted
- app goes to api with the token for data
- api returns documents for user that authorized the token (so somehow the token can be traced back to user)
Is this an authentication scenario or authorization scenario?
PS. I am aware of this question, but the best answer there doesn't address my doubts.