So things have changed a bit with Stratos that might help some people who are looking for a solution.
Stratos at the moment is an independent service, it functions by “enrollment” which is done via Oauth to establish a long lived token so that it can write a stub record referencing a record created in stratos. The Stub is public but private is not, public record holds no metadata only a reference. The private record contains the data on which boundary domain it belongs to and can only be accessed by authenticated request which checks the boundaries of the requester before serving it.
As for the enrollment process, since the DID document has such a high barrier to being updated and the only update method is effectively full access, Stratos instead does a signed attestation by writing a record on the users PDS containing data like service endpoint and the attestation contains the boundaries which is signed by the service key so it can be verified. In this attestation is also a key generated for the user so they can verify the records creates in Stratos are “theirs”.
This effectively serves as the credentials for the user but it’s a shared model as Stratos still owns the private key in the current iteration.
Now since this is following the approach of boundaries to act as the permission to the data, it’s not working off a model any smaller than a group and a user has to actively choose to enroll in it. An operator would of course have the ability to remove a user but this hasn’t been implemented yet.
If anyone is keen to look closer at what’s being worked on, drop me a message. There’s one large piece do be done but then it will be close to feature complete.