Comment by johnmaguire

With OIDC, both occur: the client is redirected to the authentication server where they directly authenticate, then carries a token cross-domain back to the service. Finally, the service validates the token against the auth server.

The alternative would be something where I enter my Google username/password on random websites, and trust that they will forward it to Google and not do anything nefarious. This is less secure and less private.