To see this scenario in action, try one of the web app sign-in code samples in our v2.0 Getting Started section.
In addition to simple sign-in, a web server app might need to access another web service, such as a REST API.
A Web API can receive access tokens from all types of apps, including web server apps, desktop and mobile apps, single-page apps, server-side daemons, and even other Web APIs.
Instead of ID tokens and session cookies, a Web API uses an OAuth 2.0 access token to secure its data and to authenticate incoming requests.
In Open ID Connect, the web app receives an ID token.
An ID token is a security token that verifies the user's identity and provides information about the user in the form of claims: You can learn about all the types of tokens and claims that are available to an app in the v2.0 tokens reference.
In this case, the web server app engages in a combined Open ID Connect and OAuth 2.0 flow, by using the OAuth 2.0 authorization code flow.
For more information about this scenario, read about getting started with web apps and Web APIs.