Chapter 21: Decentralized Identity — DIDs, Verifiable Credentials, and OID4VC

This is Part 21 of a chapter-by-chapter walkthrough of my book OpenID: Modern Identity for Developers and Architects. In the previous chapter we covered passwordless auth. Chapter 21 goes further still: identity where no central provider exists at all.

21.1 — DIDs: Identifiers Without an Issuing Authority

A Decentralized Identifier (DID) is a globally unique identifier you create and control without registering anywhere. No email provider; no OpenID issuer; no DNS domain required. The DID resolves to a DID Document — a JSON structure listing public keys, service endpoints, and control rules for the identifier.

Multiple DID methods exist, trading off where the DID Document lives: did:web uses HTTPS and is pragmatic for organizations that already run websites; did:key is fully self-contained in the identifier itself; ledger-based methods like did:indy anchor documents on distributed ledgers. Each is a different answer to "where does the ground truth live if not at a centralized provider?"

21.2 — Verifiable Credentials

A Verifiable Credential (VC) is a cryptographically signed statement about a subject, issued by one entity (a university, a government, an employer) and verifiable by anyone who has the issuer's public key. "Alice holds a degree from Stanford." "This license is valid through 2028." "The bearer is over 18."

The model: issuers create and sign VCs; holders store them in wallets; verifiers request proofs from holders and check the signatures. The killer feature is selective disclosure: I can prove I'm over 18 without revealing my birthdate, prove I work at Company X without revealing my job title, prove citizenship without exposing my ID number.

21.3 — OpenID for Verifiable Credentials (OID4VC)

DIDs and VCs are elegant, but they would be isolated from the existing identity ecosystem without a bridge. That bridge is OpenID for Verifiable Credentials (OID4VC) — a family of specs that uses OIDC flows to issue and present VCs.

An authorization server authenticates the user via familiar OIDC, and instead of (or alongside) returning an ID token, issues a Verifiable Credential. A relying party receives and verifies a VC presentation via flows that look structurally similar to the OIDC flows you already understand. The same mental model — authorization endpoints, scopes, tokens — extends to credential-centric identity.

OID4VC is the pragmatic answer to "how do we get there from here." You keep your investment in OIDC; you gain the properties of decentralized credentials where they matter; you migrate incrementally rather than forklifting.

What Chapter 21 Sets Up

After Chapter 21 you should understand the fundamental shift decentralized identity proposes (user-controlled credentials instead of IdP-mediated sessions), how DIDs and VCs work as primitives, and why OID4VC is the migration path most of the industry is betting on. This isn't replacing OIDC; it's extending it.

Next up — Chapter 22: Identity in AI Systems. The final chapter addresses the question the rest of the book has been building toward: what does identity look like when the "user" is an AI agent? LLM authentication, the Model Context Protocol, DCR for ephemeral agents, and the trust problem of non-human actors.