OAuth

How to properly implement the OpenID Conenct authentication scheme?

Good day to all.
There is the following scheme. Can you please tell me how best to implement the relationship between a third-party application (which wants to use the authentication of my service), the OpenID connect client application, and the OpenId Connect provider itself? I don't seem to understand how OpenID Connect service providers work. In my understanding, there is an OpenID Connect server that generates tokens, in which I register my application (For example, I want to tie authorization through Google, for this I register my application at https://console.developers.google.com/,there I also generate a secret, and already in my application, for example, using the openid-client library on the client side, or on the back, without a difference, I send requests to the Google authentication server. And for example, if my application is a standard MVC, when I press the "Authorize through Google" button, then I am transferred to the Google authorization form. Regarding this, I have a misunderstanding: is this form (view) a static generated page of the authentication server itself, or can it be a separate application that only accesses the authentication server, i.e. the same OpenId client).
In my situation, I need the application that requests user data to work separately from the token issuance server itself. Since the authentication server will be located in a closed network, and interaction with it from third-party applications should be carried out by a third application that will stick out of the network and will play the role of a proxy server with certain logic.

In the diagram above, my exemplary authentication logic is described step by step by means of obtaining an authentication code.
Or do I have a hunch that the layer between the authentication server and the client application should be just an nginx server that only gives access to certain endpoints of my server?
Please give advice, or correct me, in my thinking.