Just like in a conventional authorization. When the user enters a username and password, you check the availability of the user and compare the password?
In the case of VC, during the first authorization, you keep in database the user id of the VC, and of soap, if needed. when re-authorization, check whether you have this user VK in the database, if there is, authoritiesi it.
Or the question is not VC, and the method of authorization?