Authorization Policies Reference
This reference documents the authorization policies supported by the authorizer service. These policies coordinate the OpenID4VP authorization workflow by parsing authorization requests, delegating validation and verification to external services, and orchestrating the overall authorization decision process.
Available Authorization Policies
Section titled “Available Authorization Policies”The authorizer service implements the following policies for authorization request processing:
| Policy | Description | Key Function |
|---|---|---|
| Format | Parses and formats authorization request data | Transforms raw requests into structured data for processing |
| Validate | Delegates structural validation to validator service | Ensures presentations meet definition requirements |
| Verify | Delegates cryptographic verification to verifier service | Validates digital signatures and credential integrity |
Configuration
Section titled “Configuration”Each policy can be individually configured through the authorizer configuration. For detailed configuration options for all policies, see the Configuration Reference.
Policy Execution Order
Section titled “Policy Execution Order”The authorizer executes policies in a specific sequence to ensure efficient authorization processing:
- Format Policy - Parses authorization request data into structured format (always executed)
- Parallel Delegation Policies - Executed concurrently after successful formatting:
- Validate Policy - Delegates to validator service for structural validation
- Verify Policy - Delegates to verifier service for cryptographic verification
If the format policy fails, subsequent policies are skipped as they require the structured data output. The validate and verify policies run in parallel to optimize authorization performance.
Authorization Request Processing
Section titled “Authorization Request Processing”flowchart TD
subgraph "Authorization Request Processing"
Input[Authorization Request] --> Format[Format Policy]
Format --> FormatCheck{Format Success?}
FormatCheck -->|Yes| Parallel[Parallel Processing]
FormatCheck -->|No| FormatError[Format Error]
Parallel --> Validate[Validate Policy]
Parallel --> Verify[Verify Policy]
Validate --> ValidateResult[Validation Result]
Verify --> VerifyResult[Verification Result]
ValidateResult --> Combine[Combine Results]
VerifyResult --> Combine
Combine --> Decision[Authorization Decision]
FormatError --> Decision
end
subgraph "External Services"
ValidatorService[Validator Service] -.-> |"Structural Validation"| Validate
VerifierService[Verifier Service] -.-> |"Cryptographic Verification"| Verify
end
style Input fill:#f9f9f9,stroke:#333,stroke-width:1px
style Format fill:#e1f5fe,stroke:#333,stroke-width:1px
style Parallel fill:#e8f5e8,stroke:#333,stroke-width:1px
style Validate fill:#fff3e0,stroke:#333,stroke-width:1px
style Verify fill:#f3e5f5,stroke:#333,stroke-width:1px
style Decision fill:#dcedc8,stroke:#333,stroke-width:1px
style FormatError fill:#ffcdd2,stroke:#333,stroke-width:1px
style ValidatorService fill:#fff9c4,stroke:#333,stroke-width:1px
style VerifierService fill:#fff9c4,stroke:#333,stroke-width:1px
Policy Architecture
Section titled “Policy Architecture”The authorizer policies follow a simple architecture that combines direct processing with service coordination:
Direct Processing Policy
Section titled “Direct Processing Policy”- Format Policy - Performs actual JWT parsing, presentation submission processing, and data normalization within the authorizer service
Service Delegation Policies
Section titled “Service Delegation Policies”- Validate Policy - Coordinates with validator service for structural and content validation
- Verify Policy - Coordinates with verifier service for cryptographic verification
This hybrid approach enables the authorizer to:
- Handle OpenID4VP-specific protocol processing internally
- Leverage specialized validation and verification services
- Maintain separation of concerns across the Vidos ecosystem
- Optimize performance through parallel service delegation
Supported Authorization Types
Section titled “Supported Authorization Types”The authorizer policies support different OpenID4VP authorization flows:
| Authorization Type | Format Policy Support | Validate Policy Support | Verify Policy Support | Use Case |
|---|---|---|---|---|
| JWT-based Authorization | ✅ | ✅ | ✅ | Standard OpenID4VP flows |
| Device Response Authorization | ✅ | ✅ | ✅ | Mobile device optimization |
| ID Token Flows | ✅ | ❌ | ✅ | Enhanced authentication context |
Supported Standards
Section titled “Supported Standards”The authorizer policies coordinate verification across multiple credential and presentation standards:
| Standard | Organization | Format Policy | Validate Policy | Verify Policy | Notes |
|---|---|---|---|---|---|
| OpenID4VP | OpenID | ✅ | ✅ | ✅ | Core authorization protocol |
| DIF Presentation Exchange | DIF | ✅ | ✅ | ✅ | Presentation definition validation |
| W3C Verifiable Credentials v1.1 | W3C | ❌ | ✅ | ✅ | Delegated to validation/verification services |
| W3C Verifiable Credentials v2.0 | W3C | ❌ | ✅ | ✅ | Delegated to validation/verification services |
| W3C Data Integrity | W3C | ❌ | ✅ | ✅ | Delegated to validation/verification services |
| IETF JWT Credentials | IETF | ✅ | ✅ | ✅ | JWT parsing and delegation |
| IETF SD-JWT Credentials | IETF | ✅ | ✅ | ✅ | Selective disclosure support |
| ISO 18013-5 (mDL) | ISO | ❌ | ✅ | ✅ | Delegated to validation/verification services |
Additional Resources
Section titled “Additional Resources”- Authorizer Configuration Reference
- Validator Service Documentation - For validation processes and policies
- Verifier Service Documentation - For verification processes and policies
- OpenID for Verifiable Presentations - Core authorization standard
- DIF Presentation Exchange - Presentation definition standard