Authorization Policies Reference

This reference documents the authorization policies supported by the authorizer service. These policies coordinate the OpenID4VP authorization workflow by parsing authorization requests, delegating validation and verification to external services, and orchestrating the overall authorization decision process.

Available Authorization Policies

The authorizer service implements the following policies for authorization request processing:

PolicyDescriptionKey Function
FormatParses and formats authorization request dataTransforms raw requests into structured data for processing
ValidateDelegates structural validation to validator serviceEnsures presentations meet definition requirements
VerifyDelegates cryptographic verification to verifier serviceValidates digital signatures and credential integrity

Configuration

Each policy can be individually configured through the authorizer configuration. For detailed configuration options for all policies, see the Configuration Reference.

Policy Execution Order

The authorizer executes policies in a specific sequence to ensure efficient authorization processing:

  1. Format Policy - Parses authorization request data into structured format (always executed)
  2. Parallel Delegation Policies - Executed concurrently after successful formatting:
    • Validate Policy - Delegates to validator service for structural validation
    • Verify Policy - Delegates to verifier service for cryptographic verification

If the format policy fails, subsequent policies are skipped as they require the structured data output. The validate and verify policies run in parallel to optimize authorization performance.

Authorization Request Processing

Policy Architecture

The authorizer policies follow a simple architecture that combines direct processing with service coordination:

Direct Processing Policy

  • Format Policy - Performs actual JWT parsing, presentation submission processing, and data normalization within the authorizer service

Service Delegation Policies

  • Validate Policy - Coordinates with validator service for structural and content validation
  • Verify Policy - Coordinates with verifier service for cryptographic verification

This hybrid approach enables the authorizer to:

  • Handle OpenID4VP-specific protocol processing internally
  • Leverage specialized validation and verification services
  • Maintain separation of concerns across the Vidos ecosystem
  • Optimize performance through parallel service delegation

Supported Authorization Types

The authorizer policies support different OpenID4VP authorization flows:

Authorization TypeFormat Policy SupportValidate Policy SupportVerify Policy SupportUse Case
JWT-based AuthorizationStandard OpenID4VP flows
Device Response AuthorizationMobile device optimization
ID Token FlowsEnhanced authentication context

Supported Standards

The authorizer policies coordinate verification across multiple credential and presentation standards:

StandardOrganizationFormat PolicyValidate PolicyVerify PolicyNotes
OpenID4VPOpenIDCore authorization protocol
DIF Presentation ExchangeDIFPresentation definition validation
W3C Verifiable Credentials v1.1W3CDelegated to validation/verification services
W3C Verifiable Credentials v2.0W3CDelegated to validation/verification services
W3C Data IntegrityW3CDelegated to validation/verification services
IETF JWT CredentialsIETFJWT parsing and delegation
IETF SD-JWT CredentialsIETFSelective disclosure support
ISO 18013-5 (mDL)ISODelegated to validation/verification services

Additional Resources