. . "VAL_OAuthACLs" . "2017-06-13T06:08:26Z" . "2017-06-29T07:33:15Z" . "363e53aa4e9bb00a1ba63fc68811bc67" . . . . . . . . . . . . "%META:TOPICPARENT{name=\"ValQuickStartGuide\"}%\n\n---+ VAL OAuth Application ACLs\n\nVAL's OAuth provider implementation provides an application management page to create, delete, and edit OAuth client application key/secret pairs.\n\nLike most aspects in VAL the creation of OAuth Clients is subject to ACLs and Restrictions. An instance maintainer can define who is allowed to create new OAuth clients and how many they are allowed to create.\n\n---++ Private Graphs used for ACL storage\nThe Rules can be controlled via the [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][VAL ACL RESTful API]] or the [[http://docs.openlinksw.com/val/group__val__acl__module__internal__api.html#ga89b2c77c10c82186ddc0e7b46093123c][Internal VAL API]]. Alternatively one can directly add the rules to the private graph matching the realm in which the rules should apply. Given the default realm http://www.openlinksw.com/ontology/acl#DefaultRealm and default hostname \"HOST\" the graph IRI would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm and the groups will be stored in named graph http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm. Be aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these graphs can be customized]] for better readability.\n\nThe same principle applies to the named graph for restrictions. Given the default realm http://www.openlinksw.com/ontology/acl#DefaultRealm and default hostname \"HOST\" the graph IRI would be http://HOST/acl/restrictions/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.\n\n\n---++ ACLs\n\n---+++ Enable ACLs for the OAuth Application Page\n\nFor the ACL system to work properly the appropriate ontologies need to be loaded into the private named graph urn:virtuoso:val:acl:schema. This can be achieved as follows:\n\nsparql load into ;\nsparql load into ;\n\n\n\nBy default any authenticated person can create an arbitrary number of OAuth Client Keys.\n\nVAL controls ACL application through [[http://docs.openlinksw.com/val/val_acl.html#val_acl_rule_scopes][ACL]] scopes which can be enabled and disabled per application realm. Thus, in order to enable ACLs in the default realm the following must be done:\n\n\nsparql\nprefix oplacl: \nwith \ndelete {\n oplacl:DefaultRealm oplacl:hasDisabledAclScope oplacl:OAuth .\n}\ninsert {\n oplacl:DefaultRealm oplacl:hasEnabledAclScope oplacl:OAuth .\n};\n\n\n\n---+++ ACL Resource And Access Modes\n\nCreating new OAuth client keys requires one to have [[http://www.openlinksw.com/ontology/acl#Write][oplacl:Write]] permissions on the virtual resource urn:virtuoso:access:oauth:apps in ACL scope [[http://www.openlinksw.com/ontology/acl#OAuth][oplacl:OAuth]].\n\n\n---+++ ACL Examples\n\nThe following examples assume that the default realm [[http://www.openlinksw.com/ontology/acl#DefaultRealm][oplacl:DefaultRealm]] is used for creating the ACL resources.\n\nThe following examples use \"HOST\" as a placeholder for the default hostname of the system the ACL resource are created on.\n\nBe aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][the ACL graphs can be customized]] for better readability.\n\n\n---++++ Grant Everyone the Right To Create OAuth Apps\n\nsparql\nprefix oplacl: \nprefix acl: \nprefix foaf: \nwith \ninsert {\n <#rule> a acl:Authorization ;\n oplacl:hasAccessMode oplacl:Write ;\n acl:accessTo ;\n acl:agentClass foaf:Agent ;\n oplacl:hasScope oplacl:OAuth ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---++++ Grant the Right to Create OAuth Apps to an Individual\n\nsparql\nprefix oplacl: \nprefix acl: \nprefix foaf: \nwith \ninsert {\n <#rule> a acl:Authorization ;\n oplacl:hasAccessMode oplacl:Write ;\n acl:accessTo ;\n acl:agent ;\n oplacl:hasScope oplacl:OAuth ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---++++ Grant the Right to Create OAuth Apps to a Group Of People\n(When not using the API the groups and ACLs need to be inserted into the appropriate graph (see above) with additional properties oplacl:hasRealm and foaf:maker)\n\nThere are two types of groups: static and conditional ones. The former is a simple list of individuals as see below, the latter is a set of conditions which define a dynamic group of individuals.\n\n\n---+++++ A Static Group\n\nsparql\nprefix oplacl: \nprefix foaf: \nwith \ninsert {\n <#group> a foaf:Group, oplacl:StaticGroup ;\n foaf:name \"Some people\" ;\n foaf:member ,\n .\n};\n\n\n\n---+++++ Anyone Who Is Authenticated\nThe Required Group in a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] which includes every authenticated NetID:\n\nsparql\nprefix oplacl: \nprefix foaf: \nwith \ninsert {\n <#group> a oplacl:ConditionalGroup ;\n foaf:name \"Valid Identifiers\" ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:NetID ;\n oplacl:hasComparator oplacl:IsNotNull ;\n oplacl:hasValue 1\n ] .\n};\n\n\n\n---+++++ Any Verified WebID\nThe Required Group in a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] which includes every authenticated NetID:\n\nsparql\nprefix oplacl: \nprefix foaf: \nwith \ninsert {\n <#group> a oplacl:ConditionalGroup ;\n foaf:name \"Valid WebIDs\" ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:WebIDVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] .\n};\n\n\n---+++++ Any Valid X.509 Client Certificate\nThe Required Group in a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] which includes every valid X.509 certificate:\n\nsparql\nprefix oplacl: \nprefix foaf: \nwith \ninsert {\n <#group> a oplacl:ConditionalGroup ;\n foaf:name \"Valid X.509 Certificates\" ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:CertVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] .\n};\n\n\n---+++++ Any Verified WebID Which Claims to be a Person\nQuery conditions consist of a query which supports two variables which are replaced with the profile graph and the personal URI respectively.\n\nsparql\nprefix oplacl: \nprefix foaf: \nwith \ninsert {\n <#group> a oplacl:ConditionalGroup ;\n foaf:name \"Valid WebIDs\" ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:WebIDVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] ,\n [\n a oplacl:GroupCondition, oplacl:OAuthCondition ;\n oplacl:hasQuery \"\"\"ask where { graph ^{graph}^ { ^{uri}^ a foaf:Person } }\"\"\"\n ]\n};\n\n\n\n\n---++ Control the Max Number of OAuth Clients via Restrictions\n\nIn addition to controlling who can create OAuth clients the instance maintainer can define how many OAuth clients can be created. By default whoever has the right to create applications can create as many as they like.\n\nIn order to limit that number a restriction on resource urn:virtuoso:restrictions:oauth:apps needs to be defined. As always with VAL restrictions the least restrictive value will be used.\n\n---+++ Restriction Examples\n\n---++++ Limit the Maximum Number of OAuth Client to 2 for Everyone\n\n\nsparql\nprefix oplres: \nprefix foaf: \nwith \ninsert {\n <#res1> a oplres:Restriction ;\n rdfs:label \"Max 2 OAuth Apps for Everyone\" ;\n oplres:hasResource ;\n oplres:hasAgentClass foaf:Agent ;\n oplres:hasMaxValue \"2\"^^xsd:decimal .\n};\n\n\n---++++ Limit the Maximum Number of OAuth Client to 10 for an Individual\n\n\nsparql\nprefix oplres: \nprefix foaf: \nwith \ninsert {\n <#res1> a oplres:Restriction ;\n rdfs:label \"Max 10 OAuth Apps\" ;\n oplres:hasResource ;\n oplres:hasAgent ;\n oplres:hasMaxValue \"10\"^^xsd:decimal .\n};\n\n\n\n\n\n---++ Allow Users to Request Access to OAuth App Management\n\nLike all applications using VAL's authentication pages one can make use of VAL's request for access feature which allows to easily send a message to the owner of the resource asking for permission to use it.\n\nAll VAL requires to know is who owns the resource. This is easily done by using the VAL API. If, for example, \"dba\" should be the owner of the OAuth Client Management, then the following call will save that fact:\n\nVAL.DBA.set_resource_ownership (\n scope=>VAL.DBA.oplacl_uri('OAuth'),\n resource=>'urn:virtuoso:access:oauth:apps',\n serviceId=>VAL.DBA.user_personal_uri ('dba')\n);\n\n\nThis call will add a triple like the following into a private graph which is then added to a graph group containing all ownership graphs for the given scope:\n\n@prefix foaf: .\n\nhttp://HOST/dataspace/person/dba#this foaf:made .\n" . "2017-06-13T06:08:26.769949"^^ . "VAL_OAuthACLs" . "2017-06-29T07:33:15.117190"^^ . . . . "VAL_OAuthACLs" . . . . . . .