Verify Policy Reference
This reference documents the verify policy for the authorizer service. The verify policy delegates cryptographic verification of verifiable presentations and ID tokens to the configured verifier service, handling the coordination and result processing within the authorization workflow.
Policy Overview
The verify policy is a critical component of the authorization workflow that delegates cryptographic verification to the configured verifier service. Rather than performing verification directly, the authorizer acts as a coordinator, sending credentials and tokens to the verifier service and processing the results within the authorization context.
The policy's primary responsibilities include:
- Service delegation: Routing verification requests to the configured verifier service instance
- Token handling: Processing both VP tokens and ID tokens through appropriate verifier endpoints
- Result integration: Converting verifier service responses into authorizer policy results
- Error translation: Mapping verifier service errors to authorizer-specific error types
For details on the actual cryptographic verification processes, see the Verifier Service Documentation.
Verification Process
When processing verification requests, the policy follows these steps:
- Configuration check - Determines if verification should be skipped based on policy configuration
- Service client creation - Creates a verifier service client using configured service instance reference
- VP token verification - Sends VP token to verifier service for cryptographic verification
- ID token verification - If present, verifies ID token signatures and audience claims
- Result aggregation - Combines verification results from all processed tokens
- Error handling - Converts verifier service errors to appropriate authorizer policy errors
VP Token Verification
The verify policy handles VP token verification through the verifier service's /verify endpoint:
Verification Process
- Token extraction - Extracts the original VP token from the parsed authorization details
- Service delegation - Sends the token to the configured verifier service instance
- Result processing - Handles different response types from the verifier service
- Error translation - Converts verifier errors to authorizer-specific error types
Supported VP Token Formats
| Format | Description | Verification Approach | Special Handling |
|---|---|---|---|
| JWT VP | JWT-encoded verifiable presentations | Standard JWT signature verification | Audience validation support |
| mDoc | ISO 18013-5 mobile documents | mDoc-specific cryptographic verification | Device authentication handling |
| Data Integrity | W3C Data Integrity presentations | Multi-cryptosuite verification | Selective disclosure support |
VP Token Response Handling
The policy handles different verifier service response scenarios:
| Status Code | Description | Policy Action | Result |
|---|---|---|---|
| 200 | Successful verification | Returns verifier results directly | Pass-through successful verification |
| 422 | Validation errors | Adds authorizer verification error + verifier results | Combined error information |
| ≥500 | Internal server errors | Creates authorizer verification error | Internal error reporting |
| Other | Unexpected responses | Creates generic verification error | Fallback error handling |
ID Token Verification
For OpenID Connect ID tokens, the verify policy performs additional verification through the verifier service's /verify-jwt endpoint:
ID Token Process
- Token presence check - Only processes ID tokens when present in authorization request
- Audience extraction - Derives audience from VP token when VP is JWT format
- JWT verification - Validates ID token signature and claims
- Audience validation - Ensures ID token audience matches expected values
ID Token Error Handling
| Scenario | Error Type | Description | Action |
|---|---|---|---|
| Signature verification | IdTokenProofError | Invalid cryptographic signature | Reject authorization request |
| Audience mismatch | IdTokenProofError | ID token audience claim invalid | Reject authorization request |
| Service errors (≥500) | VerifyInternalError | Verifier service internal error | Log error, reject request |
| Invalid response | IdTokenProofError | Unexpected response format | Reject authorization request |
Configuration
The verify policy is configured through the authorizer service configuration. For complete configuration options, parameters, and examples, see the Authorizer Configuration Reference.
Key configuration aspects:
- skip: Controls whether verification is performed
- verifier: Specifies which verifier service instance to use
For details on how the verifier service performs cryptographic verification, see the Verifier Service Documentation and Verifier Configuration Reference.
Additional Resources
- Authorizer Configuration Reference
- Verifier Service Documentation - For details on cryptographic verification processes
- Verifier Configuration Reference - For verifier service configuration options
- Verifier Service Policies - For detailed verification policy documentation
- OpenID for Verifiable Presentations
- W3C Verifiable Credentials Data Model
- ISO 18013-5:2021 Mobile Driving License