OpenID Connect (OIDC) and OAuth Protocol Virtualization, using Virtuoso

Published in

OpenLink Virtuoso Weblog

6 min readJan 16, 2019

The Virtuoso Authentication Layer (VAL) module of Virtuoso adds a powerful Authentication Protocol Virtualization Layer to a Virtuoso instance.

This functionality enables a Virtuoso Instance to function as an OpenID Connect (OIDC) or OAuth Relying Party (a Relying Party is a client that delegates authentication to a 3rd party provider) or function as the Identity Provider (IdP) in its own right. In either situation, OIDC and OAuth Protocols are supported, alongside other protocols including TLS, WebID-TLS, WebID-OIDC, Digest Authentication, and the original OpenID.

Why is this important?

It provides powerful loose-coupling of Identity, Identification, Authentication, and Authorization across a variety of existing protocols. For instance, it sets the stage for HTTP-based Read-Write Applications that can authenticate the identities of a wide range of users rather than adding that burden to the application development effort.

For example, at OpenLink we have approximately 100,000 (and counting) user accounts, collated over the years from customers and evaluators of our technology, managed by our main Identity Provider. Inrupt, a startup in the Read-Write Web space has accumulated approximately 65,000 (and counting) accounts since its recent coming out announcement. Google, Facebook, Twitter, LinkedIn, SalesForce.com, Microsoft, Dropbox, and many others collectively have billions of user accounts, too!

Various Identity Provider Services associated with large User Account Collections

In all of these cases, an ability to delegate identity authentication to these services trumps the burden of recreating and managing these accounts — which is the problem solved by this powerful virtualization functionality.

Setup and Use

Prerequisites

A functional Virtuoso instance
A functional Virtuoso HTTPS Listener
Conductor VAD Package installed
VAL VAD Package installed
ODS Framework VAD Package installed — Optional, but useful

Setting up Virtuoso as an OpenID Connect Identity Provider (IdP)

At the end of this process, a client application operating as a Relying Party (RP) will be registered and provided with credentials (API Key and Session Secret) for securely accessing the Identity Providers Services provided by the Virtuoso instance.

(1) Visit the OIDC Provider's RP (Client Application) Registration Endpoint, http://<cname>:<port>/oauth/applications.vsp, where <cname>:<port> is replaced by your local server values (e.g., https://ods-qa.openlinksw.com/oauth/applications.vsp), and authenticate as a user with DBA privileges, such as dba.

Displays your Registered Application (if you created any prior) in addition to those created by others

(2) Click the Create New Application button to start the registration process for your Client Application.

(2a) Enter a Name and Description that will be meaningful to you later.

(2b) Provide the Link to your Client’s protected service endpoint (the URL that identifies the service endpoint bound to the IdP), e.g., https://kingsley.idehen.net/sparql (for the SPARQL Query Service using VAL).

(2c) Provide your Client’s OAuth callback URL, e.g., https://kingsley.idehen.net/val/api/third_party_callback.

(2d) Click Create Application to finish the Client registration.

(3) For good measure, and for future use, capture the IdP’s configuration information (by clicking View/Edit to copy Application Key & Application Secret). The following is an example OIDC IdP Provider Configuration/Profile Doc for ODS-QA, obtained from https://ods-qa.openlinksw.com/.well-known/openid-configuration:

{ "issuer":
     "http://ods-qa.openlinksw.com",
  "authorization_endpoint":
     "https://ods-qa.openlinksw.com/OAuth2/authorize",
  "token_endpoint":
     "https://ods-qa.openlinksw.com/OAuth2/token",
  "userinfo_endpoint":
     "https://ods-qa.openlinksw.com/OAuth2/userinfo",
  "registration_endpoint":
     "https://ods-qa.openlinksw.com/OAuth2/register",
  "jwks_uri":
     "https://ods-qa.openlinksw.com/OAuth2/keys",
  "id_token_signing_alg_values_supported":
     [ "RSA" ], 
  "scopes_supported":
     [ "openid",
       "profile",
       "email",
       "address",
       "phone",
       "webid"
     ], 
  "response_types_supported":
     [ "code",
       "code id_token"
     ], 
  "subject_types_supported":
     [ "public" ]
}

Setting up Virtuoso as a Relying Party (RP a/k/a Client Application) for 3rd Party IdP Registration

At the end of this process, the client will be fully configured for secure authentication of identities associated with a designated IdP.

(1) Go to the OAuth Administration page in the Conductor (note: this will not be present until VAL is installed), http://<cname>:<port>/oauth/admin.vsp, where <cname>:<port> is replaced by your local server values (e.g., https://ods-qa.openlinksw.com/oauth/admin.vsp), and authenticate as a user with DBA privileges, such as dba.

(2) In the OAuth Client API Keys section, click the Add OAuth API Key button. This input dialog will appear:

(3) Choose Custom Service Type by hatching the check-box. The dialog input boxes will change:

(4) Fill in the information requested by the input fields, and click the Add API Key button.

Here’s the Virtuoso Authentication Layer dialog presented a login time following successful application of the steps above.

Protected SPARQL Query Service Endpoint and Authentication Dialog

Setup Verification & Demonstration using our Live URIBurner SPARQL Query Service Endpoint

(1) Go to the SPARQL endpoint for your instance, http://<cname>:<port>/sparql, where <cname>:<port> is replaced by your local server values (e.g., https://linkeddata.uriburner.com/sparql), and click the Login link if not immediately prompted.

(2) Click the More button, and choose one of the following icons — Virtuoso, OIDC, Solid.

(3) You will be redirected to the IdP authentication dialog of the selected IdP.

(4) Choose one of the bound IdP icons presented in the VAL dialog — again note More button for additional IdPs, including Virtuoso, OIDC, Solid.

(5) Click the Authorize app (or similar) button presented in the IdP dialog — this will differ on different IdPs.

(6) You will be redirected back to the VAL dialog of the instance.

(7) Again, click the Authorize button.

(8) Voila! You will be logged in to the SPARQL Query Service Access Point.

Usage Examples

Below is a sequence of screenshots covering authentication against our URIBurner Service SPARQL Query Services Endpoint, where other OpenLink instances (e.g., My.OpenLinkSW.com, OpenLink Solid Pod), Inrupt.net (another Solid Pod collective), Google, Twitter, LinkedIn, etc., function as OIDC or OAuth IdPs.

SPARQL Query Service Home Page

Login Page for Authenticating Identities

VAL Authentication Challenge Dialog

Presenting a Variety of Identity Providers that support of variety of Authentication Protocols

Profile Data Authorization Dialog

Successful Login

You can also watch the embedded screencasts that follow.

URIBurner SPARQL Query Services Usage Example

OpenLink Smart Data Bot Usage Example

Conclusion

A single instance of Virtuoso not only provides you with powerful Data Access, Data Virtualization, and Multi-Model Relational Data Management functionality, it also offers unrivaled Authentication Virtualization functionality that provides critical foundation for developing, deploying, and using modern HTTP-based applications where privacy is built-in by design i.e., moving from the fabled Do No Evil 3rd Party Trust modality to the newer Cannot Do Any Evil or Trustless modality.