Verify Policy Reference

This reference documents the verify policy for the authorizer service. The verify policy delegates cryptographic verification of verifiable presentations and ID tokens to the configured verifier service, handling the coordination and result processing within the authorization workflow.

Policy Overview

The verify policy is a critical component of the authorization workflow that delegates cryptographic verification to the configured verifier service. Rather than performing verification directly, the authorizer acts as a coordinator, sending credentials and tokens to the verifier service and processing the results within the authorization context.

The policy's primary responsibilities include:

  • Service delegation: Routing verification requests to the configured verifier service instance
  • Token handling: Processing both VP tokens and ID tokens through appropriate verifier endpoints
  • Result integration: Converting verifier service responses into authorizer policy results
  • Error translation: Mapping verifier service errors to authorizer-specific error types

For details on the actual cryptographic verification processes, see the Verifier Service Documentation.

Verification Process

When processing verification requests, the policy follows these steps:

  1. Configuration check - Determines if verification should be skipped based on policy configuration
  2. Service client creation - Creates a verifier service client using configured service instance reference
  3. VP token verification - Sends VP token to verifier service for cryptographic verification
  4. ID token verification - If present, verifies ID token signatures and audience claims
  5. Result aggregation - Combines verification results from all processed tokens
  6. Error handling - Converts verifier service errors to appropriate authorizer policy errors

VP Token Verification

The verify policy handles VP token verification through the verifier service's /verify endpoint:

Verification Process

  1. Token extraction - Extracts the original VP token from the parsed authorization details
  2. Service delegation - Sends the token to the configured verifier service instance
  3. Result processing - Handles different response types from the verifier service
  4. Error translation - Converts verifier errors to authorizer-specific error types

Supported VP Token Formats

FormatDescriptionVerification ApproachSpecial Handling
JWT VPJWT-encoded verifiable presentationsStandard JWT signature verificationAudience validation support
mDocISO 18013-5 mobile documentsmDoc-specific cryptographic verificationDevice authentication handling
Data IntegrityW3C Data Integrity presentationsMulti-cryptosuite verificationSelective disclosure support

VP Token Response Handling

The policy handles different verifier service response scenarios:

Status CodeDescriptionPolicy ActionResult
200Successful verificationReturns verifier results directlyPass-through successful verification
422Validation errorsAdds authorizer verification error + verifier resultsCombined error information
≥500Internal server errorsCreates authorizer verification errorInternal error reporting
OtherUnexpected responsesCreates generic verification errorFallback error handling

ID Token Verification

For OpenID Connect ID tokens, the verify policy performs additional verification through the verifier service's /verify-jwt endpoint:

ID Token Process

  1. Token presence check - Only processes ID tokens when present in authorization request
  2. Audience extraction - Derives audience from VP token when VP is JWT format
  3. JWT verification - Validates ID token signature and claims
  4. Audience validation - Ensures ID token audience matches expected values

ID Token Error Handling

ScenarioError TypeDescriptionAction
Signature verificationIdTokenProofErrorInvalid cryptographic signatureReject authorization request
Audience mismatchIdTokenProofErrorID token audience claim invalidReject authorization request
Service errors (≥500)VerifyInternalErrorVerifier service internal errorLog error, reject request
Invalid responseIdTokenProofErrorUnexpected response formatReject authorization request

Configuration

The verify policy is configured through the authorizer service configuration. For complete configuration options, parameters, and examples, see the Authorizer Configuration Reference.

Key configuration aspects:

  • skip: Controls whether verification is performed
  • verifier: Specifies which verifier service instance to use

For details on how the verifier service performs cryptographic verification, see the Verifier Service Documentation and Verifier Configuration Reference.

Additional Resources