@silverpill Good question. Quick, shallow answer: this is just a login system, not an #ActivityPub instance.  It could certainly be used in front of an ActivityPub instance, though, and in that context, it's definitely worth thinking about. I don't have any concrete answers, but off the top of my head:

The simplest option would be to create a new local actor, and use this purely for login. Sometimes this is the only option - IndieAuth and the native OIDC mode can both work without the existence of an AP actor at the IdP end.

Another option would be to pair it with AP C2S. The OAuth2/OIDC based modes can provide an access token as well as an identity; this could be used to authorise the RP to connect back to the IdP and post using C2S. This would take a bit of standardisation work, but not a lot; my impression is this would be fairly easy to build.

What if the user has a FEP-ef61 nomadic actor? Sending the private key from the IdP to the RP is probably not a very good idea, but perhaps the IdP could expose an access-controlled endpoint to generate a signature on the user's behalf. With this method the RP would construct an object with attributedTo set to the user's nomadic actor ID, request a signature from the IdP, and then distribute the object however it chooses. (In this case, perhaps the IdP should get to choose the new object's ID too, at which point this starts to look a lot like a variant of C2S.)