It provides powerful loose-coupling of Identity, Identification, Authentication, and Authorization across a variety of existing protocols. For instance, it sets the stage for HTTP-based Read-Write Applications that can authenticate the identities of a wide range of users rather than adding that burden to the application development effort.
For example, at OpenLink we have approximately100,000 (and counting) user accounts, collated over the years from customers and evaluators of our technology, managed by our main Identity Provider. Inrupt, a startup in the Read-Write Web space has accumulated approximately 65,000 (and counting) accounts since its recent coming out announcement. Google, Facebook, Twitter, LinkedIn, SalesForce.com, Microsoft, Dropbox, and many others collectively have billions of user accounts, too!
In all of these cases, an ability to delegate identity authentication to these services trumps the burden of recreating and managing these accounts - which is the problem solved by this powerful virtualization functionality.
Setup and Use
Prerequisites
Virtuoso instance
Conductor VAD Package
VAL VAD Package
ODS Framework VAD Package - Optional
Setting up Virtuoso as an OpenID Connect Identity Provider (IdP)
At the end of this process, a client application operating as a Relying Party (RP) will be registered and provided with credentials (API Key and Session Secret) for securely accessing the Identity Providers Services provided by the Virtuoso instance.
(1) Visit your target OIDC Provider's Client Registra ion Endpoint, http://<cname>:<port>/oauth/app ications.vsp, where <cname>:<port> is replaced by your local server values (e.g., https://ods-qa.openlinksw.com/oauth/applications.vsp), and authenticate as a user with DBA privileges, such as dba.
(2) Click the Create New Application button to register your Client.
(2a) Enter a Name and Description that will be meaningful to you later.
(2b) Provide the Link to your Client's protected service endpoint (the URL that identifies the service endpoint bound to the IdP), e.g., https://kingsley.idehen.net/sparql (for the SPARQL Query Service using VAL).
(2d) Click Create Application to finish the Client registration.
(3) For good measure, and for future use, capture the IdP's configuration information (by clicking View/Edit to copy Application Key & Application Secret). The following is an example OIDC IdP Provider Configuration/Profile Doc for ODS-QA, obtained from https://ods-qa.openlinksw.com/.well-known/openid-configuration:
Setting up Virtuoso as a Relying Party (RP a/k/a Client) for 3rd Party IdP Binding
At the end of this process, the client will be fully configured for secure authentication of identities associated with a designated IdP.
(1) Go to the OAuth Administration page in the Conductor (note: this will not be present until VAL is installed), http://<cname>:<port& t;/oauth/admin.vsp, where <cname>:<port> is replaced by your local server values (e.g., https://ods-qa.openlinksw.com/oauth/admin.vsp), and authenticate as a user with DBA privileges, such as dba.
(2) In the OAuth Client API Keys section, click the Add OAuth API Key button. This input dialog will appear:
(3) Choose Custom Service Type by hatching the check-box. The dialog input boxes will change:
(4) Fill in the information requested by the input fields, and click the Add API Key button.
Here's the Virtuoso Authentication Layer dialog presented a login time following successful application of the steps above.
Setup Verification & Demonstration using our Live URIBurner SPARQL Query Service Endpoint
(2) Click the More button, and choose one of the following icons - Virtuoso, OIDC, Solid.
(3) You will be redirected to the IdP authentication dialog of the selected IdP.
(4) Choose one of the bound IdP icons presented in the VAL dialog - again note More button for additional IdPs, including Virtuoso, OIDC, Solid.
(5) Click the Authorize app (or similar) button presented in the IdP dialog - this will differ on different IdPs.
(6) You will be redirected back to the VAL dialog of the instance.
(7) Again, click the Authorize button.
(8) Voila! You will be logged in to the SPARQL Query Service Access Point.
Usage Examples
Below is a sequence of screenshots covering authentication against our URIBurner Service SPARQL Query Services Endpoint, where other OpenLink instances (e.g., My.OpenLinkSW.com, OpenLink Solid Pod), Inrupt.net (another Solid Pod collective), Google, Twitter, LinkedIn, etc., function as OIDC or OAuth IdPs.
SPARQL Query Service Home Page
VAL Authentication Challenge Dialog
Profile Data Authorization Dialog
Successful Login
You can also watch the embedded screencasts that follow.
Conclusion
A single instance of Virtuoso not only provides you with powerful Data Access, Data Virtualization, and Multi-Model Relational Data Management functionality, it also offers unrivaled Authentication Virtualization functionality that provides critical foundation for developing, deploying, and using modern HTTP-based applications where privacy is built-in by design i.e., moving from the fabled Do No Evil 3rd Party Trust modality to the newer Cannot Do Any Evil or Trustless modality.