chapter sixteen

16 Using verifiable credentials for authorization

 

This chapter covers

  • Why traditional account-based and federated identity models face challenges when authority exists outside the organization
  • How verifiable credentials enable portable, cryptographically verifiable claims for authorization decisions
  • How organizations can build trust and confidence in credential-based attributes
  • How credential presentations are used in policy evaluation
  • Patterns for integrating verifiable credentials with policy-based authorization models, including attribute- and relationship-based methods.

As ACME’s collaboration platforms expanded—including the legacy Customer Collaboration system and the newer multi-tenant Customer Collaboration Cloud (C³)—they came to support several closely related service areas: the traditional customer and project work, a portal that manufacturers use for managing suppliers, a clinic-integration API and management system branded ACME Health, and a platform that ACME provides to other companies for supporting their service technicians in the field. These are not standalone products so much as different expressions of the same platform. Each one depends on authorization decisions that must be made quickly and consistently with high assurance, even when the people involved have no accounts in ACME’s internal identity systems.

16.1 Why authorization needs verifiable credentials

16.2 How verifiable credentials work

16.2.1 Credential presentation

16.2.2 Example: Contractor access using verifiable credentials

16.3 Trusting credential issuers

16.3.1 Example: ACME onboards AuditsRUs as a trusted issuer

16.3.2 Building and maintaining ACME’s trust store

16.4 Credential freshness, revocation, and assurance

16.5 Requesting verifiable credential presentations

16.6 Using verifiable credentials with policies

16.6.1 Allow access only to auditors from accredited firms

16.6.2 Require current certification from an accredited authority

16.7 Protocols and ecosystem integration

16.8 Applying verifiable credentials across ACME’s products

16.8.1 Supplier portal: Representing supplier authority across multi-tier relationships

16.8.2 Clinic integration: Clinicians from external organizations

16.8.3 Field technicians: Employer-issued scope-of-work credentials

16.8.4 Customer Collaboration Cloud (C³): Project-scoped roles in a multi-tenant platform

16.9 Operational and governance considerations

16.9.1 Deciding when to use verifiable credentials

16.9.2 Failure modes and fallback paths

16.9.3 Governance responsibilities