I feel like you and I have discussed before elsewhere on the forum. What’s quoted above is simply not accurate. The Spark chip (the only VivoKey chip you can buy right now) is a symmetric crypto chip using AES128 with 3 keys. It has limited capabilities and you cannot load or change any software on the chip, hence Fidesmo has nothing to do with the Spark. Because the chip software is unchangable and the keys are symmetric, to be at all useful for us (VivoKey) we need to set the keys and lock it. The Spark was never promised to be anything but that - an authentication token for VivoKey and any and all integrated services through our standard APIs.
When it comes to Apex (this is where Fidesmo comes into play), what @NiamhAstra says next is pretty close to accurate;
However to clarify completely… it’s not just putting your own keys on. You are given a pathway that is absolutely free (no fees involved) which will allow you to develop and deploy your very own javacard applications to the chip… and those applications you created and deployed can generate their own keys or you can push keys into those applications. The only cavet is that you need to deploy your appliations through Fidesmo because they hold the master key needed to manage apps (deploy and remove apps) on the chip. Therefore, your statement made above would be more accurate it it read;
When you buy a Vivokey chip, you buy a Vivokey / Fidesmo managed chip.
The important aspect here is that you can update your chip, deploy your own apps, and do so free of charge… you simply have to deploy them by signing up for a free Fidesmo developer account. I realize this is still not what you want, and that’s fine… but it’s a reality that is very different from the claim “what you really buy is secure access to that particular ecosystem and nothing else” when it comes to Apex chip based products.
As stated above, you do not need to do this in order to deploy your own applets.
yes… let me elaborate.
For a long time now, there have been chips that are “multi-application”. This includes all 3 “evolutions” of DESFire, as well as full blown smartcard “secure element” chips… but you know why you don’t see cards that support more than one application? Why transit cards can’t also be used for the gym or any of your own applications, or why you can’t load your own PGP javacard applet on to your totally capable credit card?
The reason is trust… or lack of it. You see, absolutely nobody trusts anyone else with master keys. The transit company doesn’t want to have anyone else deploying their transit app to cards they don’t totally own and control… and neither does the gym, or the banks, or the enterprise handing out employee badges.
This lack of trust is why you end up with 20 cards in your wallet… each one capable of doing so much, but limited to just one thing only per card. This is why Fidesmo was identified as a critical partner for VivoKey, even well before we actually had a secure element chip. Fidesmo’s roll is to play key master, and convince 3rd parties like transit companies (Fidesmo Go) and payment networks (Fidesmo Pay) and access control companies (HID SEOS) to trust Fidesmo to securely deploy each of their applications to the chip, safely inside their own security domain on the chip, where other applications deployed to the chip from other sources can’t see or mess with their sensitive apps or associated data. Without this critical role being played by Fidesmo, we would not have a chance in hell of actually using our chip implants out in the real world with real world services and applications deployed on a wide scale.
Que ironic quote time…
This is exactly what I’m talking about. You will never get a 3rd party company to provision their application to your implant. The only exception you might get would require they provision your DESFire chip and RESET your chip’s master keys to their key derivation algo… i.e. you would lose your own master keys… and you’d be stuck in the exact situation you don’t want… actually it would be worse because not only would you not have your own master keys, but you would not have any way at all to provision any other applications… your chip would do one thing and one thing only, and you would have no way to reset it or do anything else with it ever. At least with the Apex and Fidesmo, you totally have the option to deploy your own apps.
I did have one unprovisioned chip… sold it to someone here on this forum 
I might consider another run of NTAG413s but for right now all energy is focused on Apex.
I’m not sure what you mean here… OAuth 2.0, specifically with the OpenID Connect extension, is an IdP solution that tons of websites and services use. Like SSO / SAML, it delegates authentication and identity validation to a 3rd party. The idea than an enterprise might accept it as a form of internal authentication mechanism is not really the goal of these particular IdP implementations… however we do have other ideas in this regard, as @fraggersparks has already attested to.