Using OAuth to implement social login is insecure (https://tools.ietf.org/html/rfc6819#section-126.96.36.199) because OAuth doesn’t provide authentication, only authorisation. The issue arises because the local application incorrectly thinks that, because a certain Access Token returns ID information, the user with that ID has been authenticated by the OAuth provider, and so can be authenticated as the corresponding user in the local application.
In contrast to the above, OIDC performs authentication and returns an ID Token, for which the local application is the audience. As such, can an ID Token be used to securely authenticate users, assuming that the ID Token is used immediately when returned from the token endpoint? Are there any obvious security ramifications to this approach?