Comment by mooreds

I mean it is usually paired with an id token, an identifier like an email address is provided, or the access token has a sub claim that is tied back to the user.

So it is not pure authorization, but both authentication and authorization.

Pure authorization would be like a car key, with no identity mixed in.