Restrict access to /sparql



@turnguard: The latest Virtuoso VAL VAD version 2.2.2_git196 with fix for this issue, is now available for download from the VAD Download area or directly from


hi there, i just downloaded the VAL vad from above link (2.2.2_git196/ 2019-01-08) and installed it over version 2.2.2_git161

with my google account i’m getting the expected access denied, i’m taken back to the login screen, where it says " Access to Protected SPARQL Query Service denied to juergen…" (in red)

with my twitter account, for which i’ve an ACL in place that worked with my latest patch (uid:=-1) i’m now taken back to the login screen, which displays a message (apparently stemming from signal(...))

SR180: Extra arguments to VAL.DBA.oauth_token_10, takes only 5


hi there, again:

this is specifically related to twitter as IDP (or any other IDP making use of the oauth_token_10 procedure)

if i change (line break inserted by myself for better readability here)

data := VAL.DBA.oauth_token_10 (
     null, 'GET', clientKey, null, oauthSid);


data := VAL.DBA.oauth_token_10 (
    'GET', clientKey, null, oauthSid);

inside the twitter section of VAL.DB.thirdparty_callback, everything works as expected.

VAL vad version: 2.2.2_git196/ 2019-01-08


@turnguard: Thanks for the info. I’ve recreated and fixed the bug.


@cblakeley, but your fix is not online yet, right? (i tried a couple of minutes ago and the issue persists as of writing)


@turnguard: Not yet. Sorry for any confusion. We’ll post an update once the new VAD is available for download. /cc @hwilliams


@turnguard: A new 2.2.2_git197 VAL VAD is now available for download from … please verify this resolves the issue you reported … /cc @cblakeley


@hwilliams @kidehen @cblakeley


i verified with my settings (see my twitter ACL above) and VAL VAD 2.2.2_git197 …

it works as expected: i get access denied with my google account and “yo, welcome” with my twitter account…

thanks a lot!

note: if you want to verify on my installation, just drop me your desired account and i’ll add an ACL for you.
account should be either google or twitter as of writing…


Please grant access for my following NetIDs:

  1. Twitter
  2. LinkedIn


you have a google account? i would need to create a linkedIn dev account and setup a oauth client keys and stuff there? twitter is fine…



i added an ACL for your twitter account:


  1. google and twitter are already defined as IDPs
  2. you will be able to access my endpoint using your twitter account
  3. you WON’T be able to access my endpoint using your google account
  4. IMPORTANT NOTE: i created (you can sparql it then) your twitter ACL using HTTP (not HTTPS), VAL.DBA.thirdparty_callback creates the service id using http
    serviceId := sprintf ('', newUsr);



It works!

Next, you should be able to emulate the OpenID Connect bindings along the following axis:

  1. Solid Pods e.g., (NSS 4.x), (NSS 5.x beta), your own

  2. OpenID Connect Idp instances of Virtuoso e.g., make another instance on another port that’s setup to be an OpenID Connect Idp.




the last link in your previous post [1] contains an image with your configured IDPs including solid pods [2]
can you share the configuration how you use an arbitrary solid pod as an IDP?



The process is very simple.

  1. Go to <{your-virtuoso-instance-uri}>/oauth/admin
  2. Click on Add API Key button
  3. Hatch the Dynamic Provider Information Discovery check-box
  4. Hatch the Dynamic Client Registration check-box
  5. Enter {solid-pod-uri} for your Solid Pod
  6. Enter {solid-pod-uri}/register for your Solid Pod
  7. Done

Screenshot 1

Screenshot 2

Screenshot 3



  1. i hit “Add OAuth API key”

  2. checked both checkboxes

  3. enter my solid pod URI (

  4. here comes my micro issue:
    i tried to enter as the callback URL
    when i hit the “Save” button, i got an error message (in red above the form): “Bad callback URI”
    after a short investigation in /DAV/VAD/conductor/login_keys.vspx i found that there is a check

    tmp := VAL.DBA.http_to_https_uri ('http://' || VAL.DBA.val_cname ());
    if (c_callback not like tmp) ... throw... 'Bad callback'

    tmp returns “localhost” no matter if i call conductor via my domain or on localhost…
    anyway, i commented the check, then i could enter above callback uri

    EDIT: i have “localhost” in virtuoso.ini as DefaultHost… i haven’t tested, but after a check of
    VAL.DBA.val_cname() that wouldn’t have occurred if i had in my virtuoso.ini

  5. i added the following ACL…

     PREFIX     acl:  <>
     PREFIX  oplacl:  <>
     WITH  <http://localhost:8890/acl/graph/rules/>
     <urn:rules:jj:oauth:oauth>         a  acl:Authorization ;
                      foaf:maker  <http://localhost:8890/dataspace/person/dba#this> ;
            oplacl:hasAccessMode  oplacl:Read ;
                    acl:accessTo  <urn:virtuoso:access:sparql> ;
                       acl:agent  <> ;
                 oplacl:hasScope  oplacl:Query ;
                 oplacl:hasRealm  oplacl:DefaultRealm .

voila… !!

i can use my solid pod as IDP… very cool!


Wonderful! Note, you can pick the Solid Icon for your Solid IdP.

BTW – do you have screenshots for your Auth0 bindings?

Can I use this for some public demos, bearing in mind you’ve secured it? :slight_smile:



re. auth0 i’m tempted to contribute a little piece of code…
it doesn’t work out of the box because auth0 can return user profile json constructs from various IDPs. All of them look different. note that VAL.DBA.thirdparty_callback procedure includes a switch to determine the serviceId depending on the IDP. so it would be necessary to create an own switch which is capable of handling different user profiles (e.g. from twitter, google, github, linkedin,…) and determine the serviceId from those. there is however a auth0 user api, that could return a unified profile for all of those IDPs… i need to investigate first…

note: i made it work in a couple of minutes by patching above callback procedure for the IDPs i want to use…
those user profiles are identifiable by a “sub” key in the returned json, the value of that key is the IDP + | + userId, so it’s not too hard to implement, e.g.


re public demos: that would be totally fine with me… note however that i’m running a virtuoso 8.2. with a evaluation license on my notebook. so that’s not gonna be available much longer… :smiley:



we’ve come very far with this thread… can we still elaborate how i can use virtuoso itself as an IDP?

i’ve created an application under /oauth using this callback

then i’ve then created a OAuth Service Binding, using

  • the appkey and appsecret from the application i created under /oauth

when i use the respective login button on my /sparql endpoint, i’m taken to the login page, where i enter my dba credentials. after that i’m taken to the authorization page, where i click authorize… then i’m taken to the sparql endpoint, but am getting a message above the endpoint saying:

`Failed to fetch service ID from service “virtuosoods”.

(virtuosoods being the name of my OAuth Service Binding)

any hint?


To clear regarding the steps you followed:

OpenID Connect / OAuth Idp

  1. Go to <{your-virtuoso-instance-uri}>/oauth/applications.vsp

  2. Click on Create Application button to get to the Application Creation/Registration Form

  3. Fill in App Name field

  4. Fill in App Description field

  5. Fill in Link field with App Origin/Domain using pattern <{your-virtuoso-instance-uri}>

  6. Fill in Callback URLs field with a Callback URL for app using pattern <{your-virtuoso-instance-domain}/{callback-doc-name}>

  7. Click on Create Application Button

OpenID Connect / OAuth Relying Party (App or Client)

  1. Go to <{your-virtuoso-idp-instance-uri}>/oauth/admin
  2. Click on Add API Key button
  3. Hatch the Dynamic Provider Information Discovery check-box
  4. Hatch the Dynamic Client Registration check-box
  5. Enter <{your-virtuoso-idp-instance-uri}> for Virtuoso-based OpenID Connect / OAuth IdP
  6. Enter {your-virtuoso-idp-instance-uri}/register for your Solid Pod
  7. Done

Anything outside of the following re getting this to work amounts to some bug or quirk that we should resolve via this thread :slight_smile:

/cc @cblakeley



i could make this work as well… for others to replay, i did the following with my domain

  1. go to
    1.1. “Create New Application”
    1.2. “Link” =>
    1.3. “Callback URLs” =>
    1.4. “Create Application” (note: hit “View/Edit” to copy Application Key & Application Secret)
  2. go to
    2.1. “Add API Key”
    2.2. “Service Name” => This Virtuoso
    2.3. “Authentication URL” =>
    2.4. “Token URL” =>
    2.5. “User Info URL” =>
    2.6. “OAuth Token Key” => ${Application Key} (see 1.4)
    2.7. “OAuth Secret” => ${Application Secret} (see 1.4)
  3. Verification
    3.1. go to
    3.2. choose the “Virtuoso” icon under “More” button (alt: “Authenticate via This Virtuoso”)
    3.3. redirected to: (note: Link on login screen changed to “Authenticate to access: This Virtuoso Instance”
    3.4. choose the “Twitter” icon under “More” button (note: i have the ACL for my twitter account already in place, @kidehen, you should be able to do the same with your twitter account, your google (or linkedin, github,…) account will get an access denied in the end)
    3.5. hit the “Authorize app” button on
    3.6. i’m redirected back to virtuoso’s authorization dialog at, hit the “Authorize” button
    3.7. voila: i’m logged in and can access the endpoint

(note: there is a message: Failed to fetch service ID from service "thisvirtuoso"., this however can be ignored, the endpoint also presents a link to my twitter account next to “Logged in as…”

lovely! :slight_smile: