I think this is one of the great virtues of OAuth/OIDC. It makes you realise that, in most cases, you don't care about identity per se when making access control decisions. We just tend to use it as a proxy to infer attributes...