Can identity providers work without storing any user data?
Is it reasonable to think about an authentication solution where identity provider do not hold any user-data (hence acts like a stateless server) and the service provider (or relying party) gets verified data directly from end-user?
But question is, If one of the user's does something wrong. and goverment would like to ask who takes the ownership. If Identity Provider do not store the information how would they be able to verify it ?