OpenID Connect (OIDC) and OAuth Protocol Virtualization, using Virtuoso

The Virtuoso Authentication Layer (VAL) module of Virtuoso adds a powerful Authentication Protocol Virtualization Layer to a Virtuoso instance.

This functionality enables a Virtuoso Instance to function as an OpenID Connect (OIDC) or OAuth Relying Party (a Relying Party is a client that delegates authentication to a 3rd party provider) or function as the Identity Provider (IdP) in its own right. In either situation, OIDC and OAuth Protocols are supported, alongside other protocols including TLS, WebID-TLS, WebID-OIDC, Digest Authentication, and the original OpenID.

Why is this important?

It provides powerful loose-coupling of Identity, Identification, Authentication, and Authorization across a variety of existing protocols. For instance, it sets the stage for HTTP-based Read-Write Applications that can authenticate the identities of a wide range of users rather than adding that burden to the application development effort.

For example, at OpenLink we have approximately 100,000 (and counting) user accounts, collated over the years from customers and evaluators of our technology, managed by our main Identity Provider. Inrupt, a startup in the Read-Write Web space has accumulated approximately 65,000 (and counting) accounts since its recent coming out announcement. Google, Facebook, Twitter, LinkedIn, SalesForce.com, Microsoft, Dropbox, and many others collectively have billions of user accounts, too!

In all of these cases, an ability to delegate identity authentication to these services trumps the burden of recreating and managing these accounts - which is the problem solved by this powerful virtualization functionality.

Setup and Use

Prerequisites

1. Virtuoso instance
2. Conductor VAD Package
3. VAL VAD Package
4. ODS Framework VAD Package - Optional

Setting up Virtuoso as an OpenID Connect Identity Provider (IdP)

At the end of this process, a client application operating as a Relying Party (RP) will be registered and provided with credentials (API Key and Session Secret) for securely accessing the Identity Providers Services provided by the Virtuoso instance.

(1) Visit your target OIDC Provider's Client Registra ion Endpoint, http://<cname>:<port>/oauth/app ications.vsp, where <cname>:<port> is replaced by your local server values (e.g., https://ods-qa.openlinksw.com/oauth/applications.vsp), and authenticate as a user with DBA privileges, such as dba.

(2) Click the Create New Application button to register your Client.

(2a) Enter a Name and Description that will be meaningful to you later.

(2b) Provide the Link to your Client's protected service endpoint (the URL that identifies the service endpoint bound to the IdP), e.g., https://kingsley.idehen.net/sparql (for the SPARQL Query Service using VAL).

(2c) Provide your Client's OAuth callback URL, e.g., https://kingsley.idehen.net/val/third_party/callback.

(2d) Click Create Application to finish the Client registration.

(3) For good measure, and for future use, capture the IdP's configuration information (by clicking View/Edit to copy Application Key & Application Secret). The following is an example OIDC IdP Provider Configuration/Profile Doc for ODS-QA, obtained from https://ods-qa.openlinksw.com/.well-known/openid-configuration:

{ "issuer":
 "http://ods-qa.openlinksw.com",
 "authorization_endpoint":
 "https://ods-qa.openlinksw.com/OAuth2/authorize",
 "token_endpoint":
 "https://ods-qa.openlinksw.com/OAuth2/token",
 "userinfo_endpoint":
 "https://ods-qa.openlinksw.com/OAuth2/userinfo",
 "registration_endpoint":
 "https://ods-qa.openlinksw.com/OAuth2/register",
 "jwks_uri":
 "https://ods-qa.openlinksw.com/OAuth2/keys",
 "id_token_signing_alg_values_supported":
 [ "RSA" ], 
 "scopes_supported":
 [ "openid",
 "profile",
 "email",
 "address",
 "phone",
 "webid"
 ], 
 "response_types_supported":
 [ "code",
 "code id_token"
 ], 
 "subject_types_supported":
 [ "public" ]
}

Setting up Virtuoso as a Relying Party (RP a/k/a Client) for 3rd Party IdP Binding

At the end of this process, the client will be fully configured for secure authentication of identities associated with a designated IdP.

(1) Go to the OAuth Administration page in the Conductor (note: this will not be present until VAL is installed), http://<cname>:<port& t;/oauth/admin.vsp, where <cname>:<port> is replaced by your local server values (e.g., https://ods-qa.openlinksw.com/oauth/admin.vsp), and authenticate as a user with DBA privileges, such as dba.

(2) In the OAuth Client API Keys section, click the Add OAuth API Key button. This input dialog will appear:

(3) Choose Custom Service Type by hatching the check-box. The dialog input boxes will change:

(4) Fill in the information requested by the input fields, and click the Add API Key button.

Here's the Virtuoso Authentication Layer dialog presented a login time following successful application of the steps above.

Setup Verification & Demonstration using our Live URIBurner SPARQL Query Service Endpoint

(1) Go to the SPARQL endpoint f r your instance, http://<cnam >:<port>/sparql, where <cname>:<port> is replaced by your local server values (e.g., https://linkeddata.uriburner.com/sparql), and click the Login link if not immediately prompted.

(2) Click the More button, and choose one of the following icons - Virtuoso, OIDC, Solid.

(3) You will be redirected to the IdP authentication dialog of the selected IdP.

(4) Choose one of the bound IdP icons presented in the VAL dialog - again note More button for additional IdPs, including Virtuoso, OIDC, Solid.

(5) Click the Authorize app (or similar) button presented in the IdP dialog - this will differ on different IdPs.

(6) You will be redirected back to the VAL dialog of the instance.

(7) Again, click the Authorize button.

(8) Voila! You will be logged in to the SPARQL Query Service Access Point.

Usage Examples

Below is a sequence of screenshots covering authentication against our URIBurner Service SPARQL Query Services Endpoint, where other OpenLink instances (e.g., My.OpenLinkSW.com, OpenLink Solid Pod), Inrupt.net (another Solid Pod collective), Google, Twitter, LinkedIn, etc., function as OIDC or OAuth IdPs.

SPARQL Query Service Home Page

VAL Authentication Challenge Dialog

Profile Data Authorization Dialog

Successful Login

You can also watch the embedded screencasts that follow.

Conclusion

A single instance of Virtuoso not only provides you with powerful Data Access, Data Virtualization, and Multi-Model Relational Data Management functionality, it also offers unrivaled Authentication Virtualization functionality that provides critical foundation for developing, deploying, and using modern HTTP-based applications where privacy is built-in by design i.e., moving from the fabled Do No Evil 3rd Party Trust modality to the newer Cannot Do Any Evil or Trustless modality.

Related

• Verifiable Identity controlled by You, at Web-Scale
• Community Forum Discussion Thread - covering an end-to-end example
• SPARQL Query Services Usage Screencast
• OpenLink Smart Data Bot Usage Example Screencast
• Virtuoso Home Page
• Free Evaluation and Download Page - for Windows, Linux, and macOS
• Free Evaluation License for Windows
• Free Evaluation License for Linux
• Free Evaluation License of macOS
• Current Entry-Level Offers across Linux, Windows, and macOS
• Virtuoso Pay-As-You-Go (PAGO) Edition from Amazon Web Services (AWS) Cloud

Virtuoso Setup for OpenID Connect (OIDC) and OAuth Protocol was originally published in OpenLink Virtuoso Weblog on Medium, where people are continuing the conversation by highlighting and responding to this story.