Notice that in federated identity, the website consumes an identity assertion directly from the Identity Provider. The browser is used to interact with the person, but in a typical federated identity protocol like OpenID, we don’t trust the browser. The only thing that flows through the browser is a reference identifier (i.e. the code). The trust in federated identity topology is derived from the signature of the assertion from the IDP (i.e. the signed JWT), which is sent over the “backchannel”–in a TLS-secured Internet connection directly from the IDP to the website. Let’s consider how the wallet makes this more complicated (diagram from Avast):
In the next parts of this series, we will look at other aspects of the new decentralized identity ecosystem that is evolving, including the diversity of wallets, credentials, decentralized identifier resolution methods, and private key management.