A client is a piece of software that requests tokens from UAS - either for authenticating a user or for accessing a resource (also often called a relying party or RP). A client must be registered with the OP.

Examples: Web applications, native mobile or desktop applications, Single Page Applications (SPA), server processes etc.

A user is a person who is using a registered client to access his/her data.

Scopes are identifiers for resources that a client wants to access. This identifier is sent to the OP during an authentication or token request.

By default, every client can request tokens for every scope, but you can restrict that.

They come in two flavors.

Requesting identity information (aka claims) about a user, e.g. his name or email address, is modeled as a scope in OpenID Connect.

There is for example a scope called profile that includes first name, last name, preferred username, gender, profile picture and more. You can read about the standard scopes here and you can create your own scopes in UAS to model your own requirements.

Resource scopes identify web APIs (also called resource servers) - you could have for example a scope named calendar that represents your calendar API.

Clients request tokens from the OP. Depending on the scopes requested, the OP will return an identity token, an access token, or both.

An identity token represents the outcome of an authentication process. It contains at a bare minimum an identifier for the user (called the sub aka subject claim). It can contain additional information about the user and details on how the user authenticated at the OP.

An access token allows access to a resource. Clients request access tokens and forward them to an API. Access tokens contain information about the client and the user (if present). APIs use that information to authorize access to their data.