1) So their login provider wil give them an OIDC token 2) They identify the user from that token on thier backend 3) They create a session using that user's userID and store the OIDC token in the session 4) To use authress, they extract the OIDC token from the session token on each API and use authress using that OIDC token as usual.