Using Virtuoso's WebID Verification Service with a WebID-bearing X.509 certificate

What?

Federated WebID verification service.

The WebID Verification Service is a user-friendly way to verify a presented Certificate, providing a less technical alternative to issuing SPARQL queries against a SPARQL endpoint.

The service currently supports WebIDs based on the ldap:, http:, mailto:, acct: URI schemes. Other URI schemes will be added over time.

Why?

Delivers WebID verification services to 3rd party solutions that lack native WebID verification functionality .

How?

A proxy is a delegation mechanism. In the context of a WebID IdP the service provides federation of verification functionality via RESTful interaction. As part of this effort is a signed payload that enables the client of the proxy to trust the responses that it gets.

Separate from the proxy aspect is a basic service that works with a click that redirects to https (if you don't arrive via https) then challenges you to present an certificate that has WebID watermark.

WebID Verification Service Endpoint

The WebID Verification Service Endpoint is https://cname/ods/webid_verify.vsp

WebID Verification Service Parameters

The services supports the following parameters:

• callback: the callback url to which the service to redirect after verifying the WebID.
• certificate: X.509 Certificate with WebID watermark.

Examples

Using the Web ID Verification Service Endpoint Example 1

This example presents a sample scenario using the WebID Verification Service Endpoint http://id.myopenlink.net/ods/webid_verify.vsp :

1. Start Virtuoso server instance (locally, remote, EC3 AMI, etc. )
2. Make sure the ODS Framework package is installed.
3. Create an X.509 Certificate with WebID watermark, for ex. this one with WebID http://ods-qa.openlinksw.com/dataspace/person/demo#this .
4. Go to http://id.myopenlink.net/ods/webid_verify.vsp :
   
   
   
   
   
5. In the presented form enter respectively:
   • "Requesting service endpoint:": for ex. the URL of this client: http://id.myopenlink.net/ods/webid_demo.html
   • "X.509 certificate (PEM or DER base64 encoded)": the generated certificate from above.
     
     
     
     
6. Click "Verify".
7. As result should be redirected to the callback URL and in our case the verification is successful - the WebID and Timestamp in ISO 8601 format are presented.
   
   
   
   

Using the Web ID Verification Service Endpoint Example 2

This example presents a sample scenario using the WebID Verification Service Endpoint https://id.myopenlink.net/ods/webid_verify.vsp :

1. Start Virtuoso server instance (locally, remote, EC3 AMI, etc. )
2. Make sure the ODS Framework package is installed.
3. Create an X.509 Certificate with WebID watermark, for ex. this one with WebID http://ods-qa.openlinksw.com/dataspace/person/demo#this:
4. Access https://id.myopenlink.net/ods/webid_verify.vsp .
5. When challenged, select certificate generated from above:
   
   
   
   
6. In the presented form enter:
   • "Requesting service endpoint:": for ex. the URL of this client: http://id.myopenlink.net/ods/webid_demo.html
     
     
     
     
7. Click "Verify".
8. As result should be redirected to the callback URL and in our case the verification is successful - the WebID and Timestamp in ISO 8601 format are presented.
   
   
   
   

cURL Examples

Prerequisites

1. Start Virtuoso server instance (locally, remote, EC3 AMI, etc. )
2. Make sure the ODS Framework package is installed.
3. Create an X.509 Certificate with WebID watermark.
4. Export the generated WebID watermarked X.509 Certificate to your local file system, for ex. with name demo.p12 and with password "test":
5. Execute:
   

   
   openssl pkcs12 -in demo.p12 -out demo.pem -nodes
   

   
   
   • Note: the *.pem should contain also the private key.

Example 1: Call the Web ID Verification Service with Certificate and Callback URL Parameters

1. In this example the url parameters values will be respectively:
   • certificate: the generated from above demo.pem WebID watermarked X.509 Certificate;
   • callback: we will use the client at http://id.myopenlink.net/ods/webid_demo.html .
2. Execute:
   

   
   curl -i -k -E demo.pem:test https://id.myopenlink.net/ods/webid_verify.vsp?callback=http://id.myopenlink.net/ods/webid_demo.html
   
   HTTP/1.1 302 Found
   Server: Virtuoso/06.03.3131 (Linux) x86_64-generic-linux-glibc25-64  VDB
   Connection: Keep-Alive
   Content-Type: text/html; charset=UTF-8
   Date: Mon, 06 Feb 2012 12:55:55 GMT
   Accept-Ranges: bytes
   Location: http://id.myopenlink.net/ods/webid_demo.html?webid=http%3A%2F%2Fid.myopenlink.net%2Fdataspace%2Fperson%2Fdemo%23this&ts=2012-02-06T07%3A55%3A55.000011-05%3A00&signature=vVhmk%2Fni1WN%2BEahDdnslPOd%2F8RCXdfdK1Syo4hDrIwCBf%2FDpGIMQjI%2FAhyIZW%2BsvV%2BKlWRBeFsDWyVZjRK6bkx2sC%2B4R4Pj1zH8539p7j8H0j8BLqBV9E3yhVvwTUhf4YdqVbXAzGBVwkuaxpfePWCjFhmvwAtkHH25Mo1wwvCE%3D
   Content-Length: 0
   

   
   
3. In case of successful WebID verification, the WebID should be returned, as above:
   

   
   webid=http%3A%2F%2Fid.myopenlink.net%2Fdataspace%2Fperson%2Fdemo%23this   
   

   
   
4. Additionally timestamp in ISO 8601 format should be returned, as above:
   

   
   ts=2012-02-06T07%3A55%3A55.000011-05%3A00
   

   
   

Example 2: Call the Web ID Verification Service with Callback URL Parameter Only

1. In this example the url parameter value will be:
   • callback: we will use the client http://id.myopenlink.net/ods/webid_demo.html.
2. Execute:
   

   
   curl -i -k https://id.myopenlink.net/ods/webid_verify.vsp?callback=http://id.myopenlink.net/ods/webid_demo.html
   
   HTTP/1.1 302 Found
   Server: Virtuoso/06.03.3131 (Linux) x86_64-generic-linux-glibc25-64  VDB
   Connection: Keep-Alive
   Content-Type: text/html; charset=UTF-8
   Date: Mon, 06 Feb 2012 13:02:28 GMT
   Accept-Ranges: bytes
   Location: http://id.myopenlink.net/ods/webid_demo.html?error=noCert&ts=2012-02-06T08%3A02%3A28-05%3A00&signature=Kp99KHmQwv8Ar7R4L5Iofh3ZO63uPUkZu%2FZiS%2FUz%2BF8pdXMQiS4Mjy5vH3WGkqCGLLrEJv1Rth%2BTfZ7TXohtwNrIveZR6jIymLYyacaTY70VZ6Em%2B6SbJxuE3mzfKlmEOeKGIZQkDQcn67PjI2TQ42830ybXjobDr9t9DoNZTHE%3D
   Content-Length: 0
   

   
   
3. In case of any error, the service returns "error=.." as it is in our example showing there is no certificate to verify:
   

   
   error=noCert  
   

   
   

Client Using the Web ID Verification Service Sample Scenarios

The following examples include Virtuoso PL (VSP), JavaScript, and PHP variants. Each has as part of their prototype (or call signature) an Address (a URL) that is used by the webid_verify.vsp service.

Prerequisites

1. Start Virtuoso server instance (locally, remote, EC3 AMI, etc. )
2. Make sure the ODS Framework package is installed.
3. Set up a WebID: for this example, we'll use an LDAP-based URI.
4. Create an X.509 Certificate with the WebID watermark.

VSP Example

This example presents a VSP client leveraging service with an X.509 Cert bearing a standard http: scheme URI re. its SAN hosted WebID watermark.

• View the code here;
  • Note: The VSP pages can be tested/used both in case they are located in OS file system / or DAV. See more details.

Trying the service:

1. Via http:
   1. Access http://<cname>/ods/webid/webid_demo.vsp:
      
      
      
      
   2. Click the "Check" button.
   3. Should be challenged to present an certificate that has WebID watermark:
      
      
      
      
   4. Click "Ok".
   5. Should be redirected to a page with URL including the signature and timestamp REST pattern parameters, and in case of successful authentication, should be presented the WebID extracted value and timestamp in ISO 8601 format:
      
      
      
      

Javascript Example

This example presents a JavaScript client leveraging service with an X.509 Cert bearing a standard http: scheme URI re. its SAN hosted WebID watermark.

• View the code here;
  • Note: The Javascript pages can be tested/used both in case they are located in OS file system / or DAV. See more details.

Trying the service:

1. Via http:
   1. Access http://<cname>/ods/webid/webid_demo.html :
      
      
      
      
   2. Click the "Check" button.
   3. Should be challenged to present an certificate that has WebID watermark:
      
      
      
      
   4. Click "Ok".
   5. Should be redirected to a page with URL including the signature and timestamp REST pattern parameters, and in case of successful authentication, should be presented the WebID extracted value and timestamp in ISO 8601 format:
      
      
      
      

PHP Example

This example presents a PHP client leveraging service with an X.509 Cert bearing a standard http: scheme URI re. its SAN hosted WebID watermark.

• View the code here;
  • Notes: The PHP pages can be tested/used only when they are located in OS file system. See more details.

Trying the service:

1. Via http:
   1. Access http://<cname>/ods/webid/webid_demo.php :
      
      
      
      
   2. Click the "Check" button.
   3. Should be challenged to present an certificate that has WebID watermark:
      
      
      
      
   4. Click "Ok".
   5. Should be redirected to a page with URL including the signature and timestamp REST pattern parameters, and in case of successful authentication, should be presented the WebID extracted value and timestamp in ISO 8601 format:
      
      
      
      

Related

• Using Virtuoso's WebID Identity Provider (IdP) Proxy Service with an X.509 certificate bearing an LDAP scheme WebID
• Safeguarding your Virtuoso-hosted SPARQL Endpoint
• SPARQL Endpoint Protection Methods Collection
• Virtuoso documentation
  • SPARQL Service Endpoint
  • Service Endpoint Security
  • Managing a SPARQL Web Service Endpoint
  • SPARQL
• Virtuoso Tips and Tricks Collection
  • SPARQL Endpoint DET Configuration Guide
  • WebID Protocol & SPARQL Endpoint ACLs Tutorial
  • SPARQL OAuth Tutorial
  • Securing SPARQL endpoints
• SPARUL over SPARQL using the http://cname:port/sparql-auth endpoint
• Virtuoso Authentication Server UI
• Manage a SPARQL-WebID based Endpoint
• WebID Protocol Support in OpenLink Data Spaces.
• Manage ODS Datadspaces Objects WebID Access Control Lists (ACLs):
  • ODS Briefcase WebID based ACL Guide
    • Person Entity WebID based ACL Guide
    • Group Entity WebID based ACL Guide
    • Public WebID based ACL Guide
  • ODS Feed Manager WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
  • ODS Calendar WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
  • ODS Bookmark Manager WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
  • ODS Addressbook WebID based ACL Guide
    • Person Entity Specific ACL
    • Group Entity Specific ACL
    • Public Specific ACL for anyone with a WebID
• Guide for Set up a X.509 certificate issuer and HTTPS listener and generate ODS user certificates
• Configure Virtuoso+ODS instance as an X.509 Certificate Authority and HTTPS listener
• Configure Virtuoso instance as an X.509 Certificate Authority and HTTPS listener
• Setting up PubSubHub in ODS
• PubSubHubBub Demo Client Example
• Feed subscription via PubSubHub protocol Example
• Setting Up PubSubHub to use WebID Protocol or IP based control lists
• CA Keys Import using Conductor
• Generate an X.509 Certificate hosted WebID Guide
• Generate an X.509 Certificate (with a WebID watermark) to be managed by host operating system keystore
• Generate an X.509 Certificate (with a WebID watermark) to be managed by a browser-based keystore
• ODS Briefcase WebID Protocol Share File Guide
• WebID Protocol Specification
• Test WebID Protocol Certificate page
• WebID Protocol Certificate Generation page