This authentication plugin enables users to log in to ICAT via an external OpenID Connect (OIDC) identity provider such as Keycloak. Unlike other ICAT authentication plugins, it doesn't check the user's credentials by itself. Instead, it leaves this part to the identity provider (IdP) and relies on a so-called token to actually authenticate the user.
Note that the authn.oidc plugin is only responsible for step 6. The other steps require some more work on your end.
OpenID Connect defines (among others) two types of tokens: The access token and the identity token. By definition, the identity token is always a so-called JSON Web Token (JWT). While the access token does not have such a strictly defined format, some identity providers (including Keycloak) also issue access tokens in the JWK format as well. Note, however, that this is not required.
The authn.oidc plugin accepts any token that uses the JWT format. It doesn't matter whether this is an access token or an identity token. What matters is that the token must include a claim with the ICAT username to identify the user.
Note that the token must be issued and signed by the IdP which authn.oidc is configured to trust. This includes two aspects: (1) The iss claim in the token must match the tokenIssuer specified in run.properties; and (2) the token's signature must be verifiable using a public key (jwks_uri) from the wellKnownUrl specified in run.properties.