This reference documents the verify policy for the authorizer service. The verify policy delegates cryptographic verification of verifiable presentations and ID tokens to the configured verifier service, handling the coordination and result processing within the authorization workflow.
The verify policy is a critical component of the authorization workflow that delegates cryptographic verification to the configured verifier service. Rather than performing verification directly, the authorizer acts as a coordinator, sending credentials and tokens to the verifier service and processing the results within the authorization context.
The policy's primary responsibilities include:
For details on the actual cryptographic verification processes, see the Verifier Service Documentation.
When processing verification requests, the policy follows these steps:
The verify policy handles VP token verification through the verifier service's /verify
endpoint:
Format | Description | Verification Approach | Special Handling |
---|---|---|---|
JWT VP | JWT-encoded verifiable presentations | Standard JWT signature verification | Audience validation support |
mDoc | ISO 18013-5 mobile documents | mDoc-specific cryptographic verification | Device authentication handling |
Data Integrity | W3C Data Integrity presentations | Multi-cryptosuite verification | Selective disclosure support |
The policy handles different verifier service response scenarios:
Status Code | Description | Policy Action | Result |
---|---|---|---|
200 | Successful verification | Returns verifier results directly | Pass-through successful verification |
422 | Validation errors | Adds authorizer verification error + verifier results | Combined error information |
≥500 | Internal server errors | Creates authorizer verification error | Internal error reporting |
Other | Unexpected responses | Creates generic verification error | Fallback error handling |
For OpenID Connect ID tokens, the verify policy performs additional verification through the verifier service's /verify-jwt
endpoint:
Scenario | Error Type | Description | Action |
---|---|---|---|
Signature verification | IdTokenProofError | Invalid cryptographic signature | Reject authorization request |
Audience mismatch | IdTokenProofError | ID token audience claim invalid | Reject authorization request |
Service errors (≥500) | VerifyInternalError | Verifier service internal error | Log error, reject request |
Invalid response | IdTokenProofError | Unexpected response format | Reject authorization request |
The verify policy is configured through the authorizer service configuration. For complete configuration options, parameters, and examples, see the Authorizer Configuration Reference.
Key configuration aspects:
For details on how the verifier service performs cryptographic verification, see the Verifier Service Documentation and Verifier Configuration Reference.