Authorizer Service Reference

This reference documentation provides comprehensive details about the authorizer service, its OpenID4VP capabilities, authorization policies, and integration with other Vidos services.

Overview

The authorizer service orchestrates the OpenID for Verifiable Presentations (OpenID4VP) authorization workflow by coordinating credential validation and verification through other Vidos services. Rather than performing validation or verification directly, the authorizer acts as an intelligent coordinator that parses authorization requests, delegates processing to specialized services, and manages the overall authorization decision process.

The authorizer handles multiple authorization flows including JWT-based authorization and device response authorization, supporting various credential formats while maintaining OpenID4VP protocol compliance. By leveraging the validator and verifier services, it ensures comprehensive evaluation of presentations while providing a unified authorization interface.

API Reference

The Authorizer service exposes RESTful APIs for performing authorization requests. The API provides endpoints for:

For detailed API documentation, including request/response formats, error codes, and usage examples, see the API Reference.

Authorization Policies

The authorizer implements modular authorization policies that process OpenID4VP requests through a coordinated workflow:

PolicyDescriptionProcessing Type
FormatParses and formats authorization request dataDirect processing
ValidateDelegates structural validation to validator serviceService delegation
VerifyDelegates cryptographic verification to verifier serviceService delegation

The format policy performs direct JWT parsing and data normalization within the authorizer, while validate and verify policies coordinate with external services for specialized processing. This hybrid approach optimizes performance through parallel service delegation while maintaining OpenID4VP-specific protocol handling.

See the Policies Reference for comprehensive details on all authorization policies, execution order, and coordination workflows.

Supported Authorization Types

The authorizer supports different OpenID4VP authorization flows based on request structure:

Authorization TypeDescriptionUse CasePolicy Support
JWT-based AuthorizationStandard OpenID4VP with JWT VP tokensStandard OpenID4VP flowsFormat + Validate + Verify
Device Response AuthorizationMobile device authorization flowsMobile device optimizationFormat + Validate + Verify
ID Token FlowsEnhanced authentication contextAdditional identity verificationFormat + Verify (no validate)

Standards Support

The authorizer coordinates verification across multiple credential and presentation standards through service delegation:

StandardOrganizationSupport LevelProcessing MethodNotes
OpenID4VPOpenIDFullDirect + DelegationCore authorization protocol
DIF Presentation ExchangeDIFFullDelegationPresentation definition validation
W3C Verifiable Credentials v1.1W3CFullDelegationVia validator/verifier services
W3C Verifiable Credentials v2.0W3CFullDelegationVia validator/verifier services
IETF JWT CredentialsIETFFullDirect + DelegationJWT parsing + service verification
IETF SD-JWT CredentialsIETFFullDirect + DelegationSelective disclosure support
ISO 18013-5 (mDL)ISOFullDelegationVia validator/verifier services

The authorizer directly handles OpenID4VP protocol specifics and JWT parsing, while delegating credential-specific validation and verification to specialized services. This architecture enables comprehensive standards support while maintaining clear separation of concerns.

Configuration

The authorizer service configuration controls OpenID4VP behavior, service delegation, and client presentation settings. Key configuration areas include:

  • CORS Configuration: Controls cross-origin access for web-based authorization flows
  • Policy Configuration: Specifies validator and verifier service instances and delegation behavior
  • OpenID4VP Settings: Configures authorization endpoints, expiration times, and client metadata

For comprehensive information about configuring the authorizer service, including all available options, policy settings, service instance references, and integration capabilities, see the Configuration Reference.

Service Integration

The authorizer integrates with other Vidos services through configurable service instance references:

Validator Service Integration

The authorizer delegates structural and content validation to the validator service through the validate policy. This includes:

  • Presentation Definition Validation: Ensures VP tokens satisfy presentation definition requirements
  • Credential Query Processing: Validates presentation submissions against credential queries
  • Format Validation: Confirms credential structural integrity

For details on validation processes, see the Validator Service Documentation.

Verifier Service Integration

The authorizer delegates cryptographic verification to the verifier service through the verify policy. This includes:

  • Signature Verification: Validates cryptographic proofs and digital signatures
  • Trust Chain Validation: Verifies issuer trust relationships
  • Credential Status Checking: Confirms credentials have not been revoked

For details on verification processes, see the Verifier Service Documentation.

Resolver Service Integration

The authorizer relies on the resolver service for DID document retrieval during the verification process, though this integration is handled transparently through the verifier service.

For details on DID resolution, see the Resolver Service Documentation.

Additional Resources