[OpenID] Native App and web API: Is this the proper use of OpenID Connect for this use case?

[Andy Brown]

I'm trying to understand how to use OpenId Connect in the following use case. Let's say we just have the following 3 components: 
 
* Web app with an exposed API (Service Provider aka SP). 
* A separate authentication server (Identify Provider aka IDP) used for SSO with the above SP. 
* A native client app used by the End User. This client app uses the SP's API. 
 
All traffic would be over HTTPS. Here's how I envision the OpenID Connect process working: 
 
1. The native app would request a "token" from the SP. 
2. The SP would see the user isn't authenticated and ask for verification from the trusted IDP. 
3. After the user's credentials are provided to the IDP, the IDP would return an ID token and Access token to the SP. 
4. The SP would verify the ID token and give the Access token to the native client app to use for all subsequent requests to the API. 
 
Is this the recommended way to use OpenID Connect in this situation? Any obvious security concerns? The only one I see is that the native client app could use the Access token to access the User Info endpoint at the IDP. 
 
Thanks for any help! 
 
- Andy