Auth and API: OpenID Connect for user + service, and enforcement along route

RSVP in case we get snacks! 3rd floor, 87 king st w.

Today the world is ruled by API's. They are used by systems, by users, by systems on behalf of users.
In the past there was the 'well-known password' for this use.
Then came the trusty(but untrustworthy) API key.
And now we have OpenID connect (OAUTH2 might have more brand recognition), allowing people and systems to assert what they need, and get an access token for same.

How do we do this from a UI standpoint so we have no passwords and a simple login?
How does that UI now use this access token when accessing the API?
What about a service that never has a user login?
How do we simply and safely enforce the security policy on behalf of those API so they don't all need re-routing?

Plus a healthy dose of cloud.