How To: Adding a Local (Self-Service) OIDC + OAuth Identity Provider Services to the Virtuoso Authentication Layer (VAL)

Situation Analysis

You’ve installed the Virtuoso Authentication Layer (VAL) to a Virtuoso Instance that you also want to use as an OpenID Connect Identity Provider — alongside others such as Google, Twitter, Apple, etc.


Simply perform the following tasks:

  1. Obtain Application Credentials
  2. Bind to Local Identity Provider using Application Credentials

Obtain Application Credentials

You achieve this objective by opening the OAuth Identity Provider application page and providing values to the input form presented for the following:

  • Name — identifies your Application
  • Description — a short description of your Application
  • OAuth Version — a drop-down of versions for which 2.0 is the recommended default

The remaining fields are automatically populated with values generated by the Virtuoso instance, and shouldn’t be altered.

Take note of the Application Key and Application Secret, for later input.

Bind to Local Identity Provider (IdP) using Relying Party Credentials

Now that your credentials are in place, open up the Identity & Access Service Provider Management page to register your Application as a Relying Party that seeks to use OpenID Connect + OAuth services via the values provided for the following:

  • Service Registration

    1. Service Name — used to identify the IdP
    2. Description — IdP Description
    3. OAuth Version — defaults to 2.0, which is our recommended preference
    4. IdP Icon — an image to be used to visually identify the IdP
    5. PKCSE checkbox — for enabling use of OAuth 2.0 with the PKCSE modality
    6. DPoP support options — for enabling DPoP using a variety of sub-options
  • Application Credentials Registration

    1. Dynamic Provider Information Discovery checkbox — currently disabled by default
    2. Dynamic Client Registration checkbox — currently disabled by default
    3. Application URL — using our URIBurner as an application example, this value would be
    4. Token URL — using our URIBurner as an application example, this value would be
    5. User Info URL — using our URIBurner as an application example, this value would be
    6. OAuth Key — Application Key
    7. OAuth Secret — Shared Secret associated with Application Key

Save the values to complete registration of our Application as a Relying Party, and then verify the configuration by clicking on the “Verify” button, as per image sequence that follows.

Configured IdP List

Authentication Handshake


Live Usage Example – using our URIBurner Instance

  1. Go to the SPARQL Query Services Endpoint identified by This is an Application functioning as a Relying Party to a self-hosted Identity Provider
  2. Click on the “Login” link
  3. In the “Or Authenticate Using” area, mouse over the available icon buttons, and click the one that displays “Authenticate via Local Instance” helptext
  4. When prompted, complete the authentication process by entering a user name and password combination for an existing SQL User Account