attachment
<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hi Jeremy,</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">We had some OAuth - IPP discussions when creating the IPP Scan specification and I believe the approved IPP Scan standard may include answers to some of your OAuth security token related questions.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">I'm currently out of the office in a location where I can't access the IPP Scan standard to check my memory on what we ultimately included about OAuth though.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Hopefully you might get a little help from the IPP Scan standard while waiting for others to respond.</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Best Regards,</div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">/Paul</div><div id="AppleMailSignature"><br>Sent from my iPhone</div><div><br>On Nov 16, 2016, at 1:34 PM, Jeremy Leber <<a href="mailto:jeremy.leber@lexmark.com">jeremy.leber@lexmark.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">Hi All,<div><br></div><div>I could use some clarification on the proper way to use OAuth with IPP, given the following scenario:</div><div><br></div><div>I have an IPP endpoint that requires verification of the client's identify and validation of the client's authorization before printing a job. The client has obtained an OAuth token that will be used for this purpose.</div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(51,51,51)"><font face="arial, helvetica, sans-serif">When implementing this, should the implementor assume that IPP allows and expects OAuthv2 tokens to be included in the HTTP header (as would be the case for any other HTTP request)? </font></p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(51,51,51)"><font face="arial, helvetica, sans-serif">If this IS the case, does the system expect any other user authentication information in the IPP request itself?</font></p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(51,51,51)"><font face="arial, helvetica, sans-serif">As an implementor, when implementing an IPP service with OAuth, are the following assumptions correct?</font></p><ul style="box-sizing:border-box;padding-left:2em;margin-top:0px;margin-bottom:16px;color:rgb(51,51,51)"><li style="box-sizing:border-box;margin-left:0px"><font face="arial, helvetica, sans-serif">uri-authentication-supported MUST contain 'oauth' if OAuthv2 is supported</font></li><li style="box-sizing:border-box;margin-top:0.25em;margin-left:0px"><font face="arial, helvetica, sans-serif">oauth-authorization-server-uri MUST contain the OAuthv2 authorization URI to be used to authorize the user if uri-authentication-supported contains 'oauth'</font></li><li style="box-sizing:border-box;margin-top:0.25em;margin-left:0px"><font face="arial, helvetica, sans-serif">The users actual OAuthv2 token MUST be supplied in the HTTP Header Authorization line as a Bearer Token per the Oauth RFC</font><ul style="box-sizing:border-box;padding-left:2em;margin-top:0px;margin-bottom:0px"><li style="box-sizing:border-box;margin-left:0px"><font face="arial, helvetica, sans-serif">The IPP service will/may authorize access to the printer/device using the supplied OAuthv2 token</font></li></ul></li><li style="box-sizing:border-box;margin-top:0.25em;margin-left:0px"><font face="arial, helvetica, sans-serif">access-oauth-token and access-oauth-uri are only used to access a Document on behalf of the user to be processed by the service not for printer/device access itself</font></li></ul><div><font color="#333333" face="arial, helvetica, sans-serif">And a few extra questions:</font></div><font color="#333333" face="arial, helvetica, sans-serif"><ul><li>Has any discussion or consideration been had regarding using ID tokens to represent the job owner (i.e. the requesting-user-name)?<br></li><li><font face="arial, helvetica, sans-serif">If the authentication process using SAML or OpenID Connect, it may retrieve a JWT or SAML Assertion which contains the user's identity, h</font><span style="font-family:arial,sans-serif">as any discussion been had about the benefits or pitfalls or delvierying the JWT/Assertions as the identity instead of a simple requesting-user-name?</span><br></li></ul></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Sorry for the lengthy questions... would love to get some quick feedback from the group. </font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Thanks!<br>Jeremy</font></div><div><font face="arial, helvetica, sans-serif"><br clear="all"></font><div><div class="m_-1644078864614626398gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px">Jeremy Leber</b><br style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"><font color="#32323c" face="arial, helvetica, sans-serif"><span style="font-size:13px;line-height:18px">Area Owner, Network Firmware Development</span></font></div><div dir="ltr"><font color="#32323c" face="arial, helvetica, sans-serif"><span style="font-size:13px;line-height:18px"><br></span></font></div><div dir="ltr"><span style="font-family:arial,helvetica,sans-serif;line-height:18px;font-size:10px;color:rgb(28,100,180)"><b>O</b></span><span style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"> </span><span style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;line-height:18px;font-size:12px"><a href="tel:%2B1%20859%20825-4505" value="+18598254505" target="_blank">+1 859 825-4505</a></span><br style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"><span style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;line-height:18px;font-size:12px"><a href="mailto:jeremy.leber@lexmark.com" target="_blank">jeremy.leber@lexmark.com</a></span><br style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"><br style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"><a href="http://www.lexmark.com/" style="font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px" target="_blank"><img src="http://www.lexmark.com/common/images/email/lexmark-logo-email-signature.png" border="0"></a><br style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"><span style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;line-height:18px;font-size:12px"><a href="http://www.lexmark.com" target="_blank">www.lexmark.com</a></span><br style="color:rgb(50,50,60);font-family:arial,helvetica,sans-serif;font-size:13px;line-height:18px"></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>ipp mailing list</span><br><span><a href="mailto:ipp@pwg.org">ipp@pwg.org</a></span><br><span><a href="https://www.pwg.org/mailman/listinfo/ipp">https://www.pwg.org/mailman/listinfo/ipp</a></span><br></div></blockquote></body></html>