Credentials are at the core of the Sovrin ecosystem. Remember that the three main actors are the credential issuer, the credential holder, and the credential verifier. (A good description is in the Appendix to the Sovrin Glossary.)
When the user signs up for the service, the service provider invites the user to establish an encrypted side-channel connection and exchange pair-wise DIDs. This is done by asking the user to use their identity agent to scan a QR code or load a specific URL.
The service provider then uses that channel to issue a credential to the user stating that the user is authorized to use the service in a specific capacity. The user’s identity agent holds that credential in their wallet.
When the user logs into the service, the service provider is now acting as the verifier. They use the encrypted DID communication channel to send a credential request to the user. The user responds to the request with a proof of the credential showing their authorization to use the service. The service provider can then provide a session token to the user that is valid for the main communication channel.
There is an ongoing effort to include a bridge between DIDAuth and OpenID Connect that implements this flow out-of-the-box for certain IdP solutions.