If you access your app via a browser, Spring Security’s oauth2Login() is invoked, and you’re redirected to Okta. Auth Code flow + PKCE is used and Spring Security will process the ID token to configure the user and create a OAuth2AuthenticationToken.
When you access from Postman (or the command like using something like cURL or HTTPie), you’re sending an Authorization header and oauth2ResourceServer() is invoked. Spring Security uses the JWT that’s passed in to establish your identity and create JwtAuthenticationToken. It does not process an ID token (because there isn’t one) or do a /userinfo lookup. You can write custom code to do a /userinfo lookup if you want, but you have to do it manually.