Basically, if you're a large org, you must be an OpenID Provider (OP). Optionally, you might also be a consumer.

If an org supports social login, for instance, they are likely a consumer and a provider.

The user authenticates at an external OP (like Apple or Google), but a local account (or "identity") is always created by the service provider, which should be stored in an OpenID Provider.

> but it's ultimately an identity that Apple owns.

I would say that's slightly inaccurate.. it's ultimately identity information that Apple owns. And of course, Apple owns your account with Apple.

But the minute you "sign in with Apple" to any service, they too are creating a local identity for you (sans password). That identity begins with the information provided by Apple (e.g. name, email address, etc.), but can expand over time to include additional information provided by the user, not Apple.

You are correct in that quite often who implements provider vs consumer depends largely on market position. There is technically no reason Apple can't become a consumer, other than they aren't interested in doing so. Also consider that, should Apple choose to eliminate your account, then you've lost whatever you use Apple to sign in with unless those downstream providers offer some kind of recovery mechanism.

> Also consider that, should Apple choose to eliminate your account, then you've lost whatever you use Apple to sign in with unless those downstream providers offer some kind of recovery mechanism.

Yes, some kind of recovery mechanism, some ability to set a local credential post-registration, or some ability to link and unlink external accounts, e.g. Sign in with Apple, then link your Google, FB, and Github accounts. Then, if you lose access to your Apple account, you still have additional options for authentication.

The latter two options are something I wish more organizations offered..!