Skip to main content
Didit Raises $7.5M to Build the Infrastructure for Identity and Fraud
Didit
Back to blog
Blog · March 7, 2026

Federated Credentials & Fine-Grained Authorization with Didit

Explore how to implement robust federated credentials and fine-grained authorization using Didit for identity verification and Cerbos for policy enforcement.

By DiditUpdated
federated-credentials-fine-grained-authorization-with-didit.png

Decouple Identity and AuthorizationSeparate identity verification from authorization policy enforcement to create more flexible and scalable security architectures. Didit handles the federated identity, while Cerbos manages granular access policies.

Enhance Security with Fine-Grained ControlImplement precise access rules based on user attributes, roles, and resource context, going beyond traditional role-based access control (RBAC) for superior security and compliance.

Streamline Developer ExperienceLeverage Didit's developer-first APIs and programmatic authentication to easily integrate identity verification into your applications, simplifying credential management and user onboarding.

Didit Powers Secure FoundationsDidit provides the essential identity verification and credential management, including Free Core KYC, allowing businesses to build complex authorization systems with confidence and ease.

The Challenge of Modern Authorization

In today's interconnected digital landscape, simply knowing who a user is (authentication) is no longer enough. Businesses need to control what that user can do, when, and under what conditions (authorization). This challenge becomes even more complex when dealing with federated identities, where users might authenticate through various external providers. Traditional authorization models, such as basic Role-Based Access Control (RBAC), often fall short, leading to over-permissioning, security vulnerabilities, and difficulties in managing complex business logic.

Fine-grained authorization, on the other hand, allows for highly specific access decisions based on a multitude of factors: user attributes (e.g., age, country, verified status), resource attributes (e.g., document type, data sensitivity), environmental context (e.g., time of day, IP address), and even relationships between entities. Implementing this level of control requires a robust identity verification system and a powerful authorization engine working in tandem.

Federated Credentials and Didit's Role

Federated credentials allow users to authenticate once with an identity provider (IdP) and then access multiple services without re-entering their credentials. This improves user experience and centralizes identity management. However, it also means that the authorization system must be able to ingest and interpret identity assertions from various sources.

Didit, as an AI-native identity platform, plays a crucial role here. It provides the foundational layer for verifying and managing federated identities. Whether a user is onboarding for the first time or re-authenticating, Didit ensures the identity is legitimate and provides verified attributes. For instance, Didit's ID Verification (OCR, MRZ, barcodes) can verify a user's identity document, while Passive & Active Liveness ensures they are a real person and not a deepfake. For age-restricted services, Didit's Age Estimation offers a privacy-preserving way to confirm age without collecting excessive personal data. These verified attributes are then crucial inputs for a fine-grained authorization system.

Didit's programmatic authentication capabilities are particularly powerful for federated scenarios. Developers can use Didit's API to verify email addresses and obtain credentials programmatically, as demonstrated by the /programmatic/verify-email/ endpoint. This allows for seamless integration with existing identity flows or for building custom authentication experiences that feed into a federated model.

Introducing Cerbos for Fine-Grained Authorization

Cerbos is an open-source, decoupled authorization layer that enables developers to implement fine-grained access control policies. It works by taking a request (who, what, when, where) and evaluating it against a set of policies written in a human-readable language (YAML or CUE). Cerbos's policy-as-code approach brings many benefits, including version control, auditability, and easier testing of authorization logic.

When integrating with Didit, Cerbos can leverage the rich, verified identity data provided by Didit. For example, after a user successfully completes a Didit ID Verification flow, Didit can provide attributes like the user's country of residence, age, or verification status. These attributes can then be passed to Cerbos as part of an authorization request. Cerbos policies can then dictate, for instance, that 'only users with a verified ID from an EU country can access data marked as sensitive EU data.'

Architecting the Integration: Didit + Cerbos

The integration of Didit and Cerbos typically follows these steps:

  1. User Authentication & Verification (Didit): A user initiates authentication. Didit handles the verification process using products like ID Verification, Passive & Active Liveness, or even Phone & Email Verification. Upon successful verification, Didit provides a secure token (e.g., an access token) and potentially a set of verified attributes (e.g., is_verified: true, age_group: '18-24', country: 'DE').

  2. Identity & Attributes Propagation: The application backend receives the authenticated user's identity and any relevant attributes from Didit. These attributes are often included in the user's session or a profile store.

  3. Authorization Request (Cerbos): When the user attempts an action (e.g., 'read document X', 'update profile Y'), the application backend constructs an authorization request for Cerbos. This request includes:

    • The principal (the user) and their attributes (e.g., { id: 'user123', roles: ['editor'], country: 'DE', is_verified: true }). These attributes are enriched by Didit's verification process.
    • The resource being accessed (e.g., { kind: 'document', id: 'doc456', owner: 'user123', sensitivity: 'sensitive_eu' }).
    • The action being performed (e.g., 'read', 'update').

  4. Policy Evaluation (Cerbos): Cerbos evaluates the request against its pre-defined policies. For example, a policy might state:

    - principal.attr.is_verified == true
- principal.attr.country == resource.attr.country
- resource.attr.sensitivity == 'sensitive_eu' -> allow

  5. Decision Enforcement: Based on Cerbos's decision (ALLOW/DENY), the application either grants or denies access to the requested resource or action.

This decoupled architecture ensures that authorization logic is externalized from the application code, making it easier to manage, audit, and evolve without redeploying the entire application. Didit's modular approach to identity verification perfectly complements this, allowing businesses to plug in the exact verification checks needed for their authorization policies, without unnecessary overhead.

How Didit Helps

Didit provides the robust and flexible identity verification foundation necessary for implementing sophisticated federated credentials and fine-grained authorization systems. Our AI-native, developer-first platform is designed to seamlessly integrate with authorization engines like Cerbos, offering:

  • Modular Identity Building Blocks: Didit's composable identity primitives allow you to select and combine verification methods as needed. From ID Verification to Passive & Active Liveness, 1:1 Face Match, and AML Screening & Monitoring, you get precisely the identity data required for your authorization policies.
  • Rich, Verified Attributes: Didit doesn't just authenticate; it verifies. This means you receive high-confidence identity attributes (e.g., age, country, verification status) that are essential inputs for fine-grained authorization decisions, enabling policies like 'only verified users over 21 from specific regions can access.'
  • Developer-First Experience: With clean APIs, instant sandboxes, and comprehensive documentation, integrating Didit's identity verification into your application is straightforward. Our programmatic authentication endpoints streamline the credential acquisition process, making federated identity management easier than ever.
  • Free Core KYC: Didit offers a Free Core KYC tier, allowing you to start building and testing your identity and authorization flows without upfront costs. This enables rapid prototyping and ensures that you can implement a secure foundation from day one.
  • Global by Design: Didit's platform is built for global scale, supporting various document types and compliance requirements. This ensures that your fine-grained authorization policies can be applied consistently across a diverse user base, with options for in-country data residency for enterprise accounts.
  • Orchestrated Workflows: Use Didit's no-code Business Console to orchestrate complex KYC workflows, which can then feed into your authorization layer. This allows for dynamic adjustments to verification requirements based on risk profiles, further enhancing the data available for Cerbos policies.

By leveraging Didit for identity verification, businesses can reliably assert user identities and their associated attributes, providing Cerbos with the crucial context needed to make accurate and secure fine-grained authorization decisions. This combination results in a powerful, scalable, and auditable security architecture.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.

Infrastructure for identity and fraud.

One API for KYC, KYB, Transaction Monitoring, and Wallet Screening. Integrate in 5 minutes.

Start freeTalk to us
Ask an AI to summarise this page
Federated Credentials & Fine-Grained Authorization | Didit