In Oauth and Openidconnect, the appserver endpoint invocation starts the Oauth flow and the app server gets the token from the auth server and is able to pass the token to resource server to access resources (delegation) on behalf of the resource owner.
The token exchange happens between the app server and resource server, and the token never arrives at the end users browser.
Q1: Does the app server store the token against the user?
Q2: At a subsequent appserver endpoint invocation by the user, how does the appserver know who the user is and which token is to be used to access the resource server?
(1) Yes. The app server will store the token for each user.
(2) It uses cookie to maintain the user session. The idea is that after confirming the user is authenticated (i.e get the access token) successfully , the app server will generate an unique session ID for this user and associate this session Id to the user 's access token. This session ID will then be sent back to the user 's browser as a cookie such that when the user 's browser sends subsequent requests to the app server , the app server can get back this session ID from the cookie and use it to get back his access token.