[IPP] Oauth for IPP System Service

[IPP] Oauth for IPP System Service

Kennedy, Smith (Wireless & IPP Standards) smith.kennedy at hp.com
Wed Oct 7 21:14:17 UTC 2020


Hi Piotr,

I filed two errata against 5100.22: one to have Get-System-Attributes authentication semantics clarified, and another to have "oauth-authorization-server-uri" and "oauth-authorization-scope" attributes added as System Description attributes. The expectation is that a System object MUST NOT challenge a Client for authentication. Given that, if a System object supported OAuth, it ought to provide the "oauth-authorization-server-uri" and "oauth-authorization-scope" attributes as System Description attributes.

Smith

/**
    Smith Kennedy
    HP Inc.
*/

> On Oct 7, 2020, at 2:56 PM, Piotr Pawliczek <pawliczek at chromium.org> wrote:
> 
> Hi Smith,
> 
> Yes! Thank you very much. This is the problem I run into.
> I just forgot to check Get-System-Attributes, so I didn't mention it.
> 
> Piotr
> 
> 
> On Wed, Oct 7, 2020 at 1:51 PM Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com <mailto:smith.kennedy at hp.com>> wrote:
> Hi there,
> 
> In "IPP Authentication Methods v1.0" on page 19 (https://ftp.pwg.org/pub/pwg/informational/bp-ippauth10-20190816-5199.10.pdf#page=19 <https://ftp.pwg.org/pub/pwg/informational/bp-ippauth10-20190816-5199.10.pdf#page=19>), edge 13 says 'Check for "oauth-authorization-server-uri" and "oauth-authorization-scope" Printer Description attributes'. If the IPP System supported OAuth, then presumably a Client could do a Get-System-Attributes operation to get these same two attributes.
> 
> But if the System is allowed to respond with an authentication challenge (similar to Get-User-Printer-Attributes but not similar to Get-Printer-Attributes) then we have a problem because those two OAuth attributes can't be acquired by the Client. I cannot tell from the definition of "Get-System-Attributes" in IPP System v1.0 (http://ftp.pwg.org/pub/pwg/candidates/cs-ippsystem10-20191122-5100.22.pdf#page=70 <http://ftp.pwg.org/pub/pwg/candidates/cs-ippsystem10-20191122-5100.22.pdf#page=70>) whether a System object is allowed to challenge a Client for authentication in response to a Get-System-Attributes operation request.
> 
> Piotr, did I capture your "chicken-and-egg" concerns here?
> 
> Smith
> 
> /**
>     Smith Kennedy
>     HP Inc.
> */
> 
>> On Oct 7, 2020, at 2:16 PM, Michael Sweet via ipp <ipp at pwg.org <mailto:ipp at pwg.org>> wrote:
>> 
>> Piotr,
>> 
>> > On Oct 7, 2020, at 4:08 PM, Piotr Pawliczek via ipp <ipp at pwg.org <mailto:ipp at pwg.org>> wrote:
>> >
>> > Hi,
>> >
>> > I am trying to figure out how to implement oauth authentication for the IPP System (e.g.: needed to send the Get-Printers request). I cannot find any references to oauth authorization in the document "IPP System Service v1.0 (SYSTEM)". Is there any plan to describe oauth authentication on the level of IPP System?
>> 
>> OAuth happens at the HTTP level, so the IPP Authentication Methods v1.0 document applies to all IPP services, not just printing.
>> 
>> ________________________
>> Michael Sweet
>> 
>> 
>> 
>> _______________________________________________
>> ipp mailing list
>> ipp at pwg.org <mailto:ipp at pwg.org>
>> https://www.pwg.org/mailman/listinfo/ipp <https://www.pwg.org/mailman/listinfo/ipp>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20201007/bd1b57c1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20201007/bd1b57c1/attachment.sig>


More information about the ipp mailing list