OIDC and OAuth Protocol Virtualization, using Virtuoso

Fundamentally, what are you trying to achieve?

For instance, are you trying to protect a specific service whereby identity principals (users) are authenticated using OpenID Connect as a bridge to a variety of Identity Authentication Service Providers?

For instance, what you see at Protected SPARQL Query Service, when you click on the “login” link?


Yes @kidehen this is what I am trying to achieve and have been using this same link you shared as a guide, but I think I am doing something wrong at the point where I need to add OAuth client and API key

If so, what’s failing?
Is it the verification stage following registration of a 3rd Part Identity Provider (Idp)? Note, each of the buttons in the Virtuoso Authentication Layer dialog map to a 3rd party Authentication Services Provider.

For instance, is Google the IdP you are trying to setup here?

Are you trying to setup Google as your IdP, for instance? I can see from the dialog that your binding is problematic, hence the error.

Yes is the verification page that is failing

Yes I am trying to set up Google as the idp and can not figure what I am doing wrong at the moment from the binding

Again, like you said earlier on, what I am trying to achieve is to write a client-side script as a demo for now that will interface with Virtuoso over HTTPS and access relevant IAM services of the OIDC and OAuth2 protocols, perform an identity enrollment and verification, request an authentication, and get an authorization token. I need to understand this implementation with this demo I am creating before implementing it with the main service

Okay, so you are trying to register Google as an Identity Authentication Services provider (IdP) for your Virtuoso instance. If so, I assume you took the following route:

  1. http://{your-instance-cname}/oauth/admin.vsp or the Web Services | Authentication Services Binding menu path using the HTML-based the Virtuoso Admin Interface (a/k/a “The Conductor”)

  2. Attempted to configure your Google IdP using the Client ID and Shared Secret obtained from Google

If that’s all correct, then you would be entering those credentials using either admin interface, as per the screenshots that follow.

The Reactive Admin Interface at http://{your-instance-cname}/oauth/admin.vsp

First page in sequence, where you click on the “Add New Identity Provider” button.

In the next page presented, select Google from the drop-down.

Following selection of Google, enter credentials for your instance (i.e., the Google Client)

Once the input fields are completed, save and retest.

The HTML-based Conductor Interface

Initial page.

Click on Add OAuth API Keys button, and then select Google from the drop-down.

Following selection of Google, enter credentials for your instance (i.e., the Google Client)

Once the input fields are completed, save and retest.


1 Like

Thanks @kidehen for this detailed explanation, it is now working fine as expected

How do I write a VSP script and use it to access this service?

Before jumping into writing a VSP, can you confirm that you are now successfully authenticating against your SPARQL endpoint using Google as the Identity Authentication Services Provider?

Also, are you building a VSP-based application or developing using .NET Frameworks? I ask because OpenID Connect is a protocol for matching Relying Parties (Apps) to Identity Authentication Service Providers i.e., you have Dynamic and Manual bindings available via your chosen development environment.


1 Like

Yes I can successfully authenticate against my SPARQL endpoint using Google as the Identity Authentication Services Provider, and I am using .NET Core Framework for the application I am building.

So your next step isn’t about a VSP that authenticates using OpenID Connect + OAuth, but a .NET Core Framework interaction with your Virtuoso instance that entails:

  1. Registering you App with the Virtuoso Instance as a Relying Party for Identity Authentication Services (i.e., as a client)
  2. Testing authentication from your .NET app against your Virtuoso instance.


Your Virtuoso Instance is just another Identity Authentication Services Provider like Google, Facebook etc., in that example.

1 Like

Okay, thanks @kidehen for the clarity, so how do I go about registering my App with the Virtuoso instance I have, is the same way I added new identity provider to my SPARQL endpoint or is a different process.

Application (Relying Party) Registration always happens via https://{cname}/oauth/applications.vsp. That’s how you obtain credentials from your Virtuoso instance for and Applications (e.g., what you are developing using .NET etc).

Thus, your next step should be authentication against Google (via its binding to Virtuoso) from your .NET app.

1 Like

Noted, I understand what to do now, thanks @kidehen for the assistance and swift response.

I am done building the .NET app for the demo and registering it in the virtuoso instance to get the credentials needed for binding but how do I bind it to the .NET app because when binding Google, Facebook, etc. .NET has this inbuilt service to add those external authentication i.e, in the screenshot below I am binding Google and I can call Services.AddAuthentication()
.AddGoogle and then pass in the credentials just as seen in the screenshot.

How do I call Virtuoso and then pass in the credentials.

You application is a client (a/k/a Relying Party) that uses an OpenID Connect + OAuth Identity Provider for authentication services.

In your example above here’s how the roles breakdown:

  1. Your .NET – Relying Party
  2. Google – OpenID Connect + OAuth Identity Authentication Services Provider (or IdP for short)

The Virtuoso instance, you’ve successfully configured and verified, is also an IdP in this context. You .NET App simply needs to be registered with the Virtuoso IdP to obtain credentials (i.e., Client ID and Shared Secret).

Thus, use https://{virtuoso-instance-cname}/oauth/applications.vsp to perform registration.

Note, Virtuoso also supports Dynamic Client Registration which implies that you don’t even have to manually register your client to obtain the client id and shared secret – as long as this OpenID Connect binding modality is supported by the .NET Core Framework in use.

At this juncture, you should treat your Virtuoso instance just like Google, Facebook etc., but with the following added benefit:

Once you successfully bind to the Virtuoso IdP it can then function as a Virtual IdP into Google, and other IdPs that support OpenID Connect + OAuth. That’s what you see on display when you login using our URIBurner Query Service endpoint at; Protected SPARQL Query Service .

Here are screenshots for Dynamic Client Registration and IdP Binding (using: http://{cname}/oauth/admin.vsp – note you need the very latest VAL & Conductor VADs installed for this to work.

VAL provided Reactive Interface

Conductor Interface

Key URLs to be provided for this form or registration and setup.

Hello @kidehen, sorry for the late reply, but my main question is this, how do I bind the virtuoso IdP to my .NET application. Every other thing is oaky but just this one thing I need to know.

How can .Net bind/connect to OpenID Connect generally, which is how you would connect to Virtuoso which supports OpenID Connect ?

I see for example this link on .Net Authentication with an OpenID Connect or OAuth 2.0 Identity provider, which looks applicable and you as the .Net programmer should be able to validate if applicable for your use case …