OAuth2 Authentication allows users to log into your Drupal site authenticating against a remote identity provider (IDP) via OAuth2.
That is, if a user's credentials can be used to retrieve a valid access token, he/she will be logged into the site with those credentials and the token will be added to his/her session. If the user doesn't exist yet, it will be created.
In doing this, we're making the assumption that resource requesters are actually resource owners. Generally, one shouldn't make that assumption as OAuth2 is an authorization mechanism, not an authentication mechanism.
If you found this module looking for a standard way to have users log in via OAuth2, then you should probably go with OpenID Connect instead. It provides a proper identity layer on top of OAuth2. Think of it like the evolution of SAML. This module is meant for those that don't have access to an OpenID Connect server, do have access to an IDP that speaks OAuth2, and can trust the environment in which all of it operates.
If you haven't considered the security implications of using this module, and you don't control the environment in which it's running, then you shouldn't be using it. For example, you probably don't want to do this sort of thing on a mobile environment as it can't be trusted to the same extent as a Drupal site behind a corporate firewall.
If you made it this far, and are still considering using the module, then make sure you've read and understood the following articles.
It also wouldn't hurt to study the official OAuth 2.0 Threat Model and Security Considerations.
If the total expiration time for your tokens, including successive tokens returned by your token server through refresh tokens (RTs), is less than the maximum time a user can be logged in (see Session Expire for details), users will still be logged in when their final tokens expire.
As this module doesn't (yet) deal with that situation, you'll need to come up with a solution that meets your requirements. Some background information on this can be found over at Best-Practice for dealing with OAuth 2.0 Token expiration at the Consumer.