Hi Reto,
Looks interesting.
Fuseki Main should be able to have the Shiro filter added to it which
might be a easier way to build the server, rather than unpack/pack.
Fuseki main does have read-level access control per graph:
https://jena.apache.org/documentation/fuseki2/data-access-control#graph-acl
including HTTPS support and endpoint access control.
In Fuseki, incepting add/remove Quad is enough though I am not sure
about GSP - if the app POSTs to ?default then Fuseki does get the graph
and insert data directly, which can bypass quad operations for some
link-based datasets.
Andy
On 24/05/2019 15:46, Reto Gmür wrote:
Hi Jean-Claude
OpenID Connect is an identity layer on top of OAuth 2. Our solution includes a
Fuseki DataSetAssembler that provides secured datasets, so it doesn't modifies
Fuseki but merely provides an add-on. It also includes a Shiro
AuthenticatingFilter taking care of the authentication part. We provide a
docker distribution of Fuseki with this add-ons.
Cheers,
Reto
-----Original Message-----
From: Jean-Claude Moissinac <[email protected]>
Sent: Friday, May 24, 2019 4:22 PM
To: [email protected]
Subject: Re: Fuseki OIDC: OpenId authenticated Fuseki access
Hi Reto
Interesting
I would like to support such access (or OAuth) Is your solution a modified
version of Fuseki or the integration of some features via the Shiro support of
fuseki?
Cheers
--
Jean-Claude Moissinac
Le ven. 24 mai 2019 à 15:56, Reto Gmür <[email protected]> a écrit :
Hi all,
At FactsMission we've been experimenting with controlling Fuseki
access with OpenID (OIDC) authentication and we would like to invite
you to try out the results and give us feedback.
* You may either set up your own instance using the code available
here: https://github.com/linked-solutions/fuseki-oidc
* Or, try out our demo-instance here:
https://fuseki-oidc-sample-client.factsmission.org/
While you'll need to set up an account to try it out, you can do so
with any fake email-address as verification is disabled.
Once you logged in with OIDC you will be able to read data from any
graph but only allowed to write to a specific graph associated with your
account.
The motivation for this configuration is to allow guest-book style
(client-side) applications where user can add and edit entries in
their personal graph and see the entries from any graph.
Let me know if you find this useful or if we missed something.
Cheers,
Reto
