Hi Mike, Smith,
Yes, "server-uri" is not a registered parameter for the Bearer
authentication scheme.
But if "server-uri" and "scope" were reported in HTTP 401 Response (edge
11), Get-System-Attributes and Get-Printer-Attributes could be protected by
OAuth as other requests.
It would be nice to have this as an option. For public
services, Get-System-Attributes and Get-Printer-Attributes are good targets
for DDos attacks. It is much easier to compose a 401 HTTP response than a
full IPP frame with hundreds of attributes.
Best regards,
Piotr
On Fri, Oct 9, 2020 at 1:40 PM Michael Sweet <msweet at msweet.org> wrote:
> Piotr,
>> > On Oct 9, 2020, at 12:48 PM, Piotr Pawliczek <pawliczek at chromium.org>
> wrote:
> >
> > Hi Smith,
> >
> > Thank you very much for your help!
> > BTW, have you considered using an HTTP response header (see
>https://tools.ietf.org/html/rfc6750#section-3) to communicate
> "server-uri" and "scope" to the client?
>> "server-uri" is not a registered parameter for the Bearer authentication
> scheme.
>> > In this case, we would not have to expose Get-System-Attributes and
> Get-Printer-Attributes to everyone.
>> These are already exposed to everything - the OAuth server isn't the only
> bit of information needed.
>> >
> > Best regards,
> > Piotr
> >
> > On Wed, Oct 7, 2020 at 2:14 PM Kennedy, Smith (Wireless & IPP Standards)
> <smith.kennedy at hp.com> wrote:
> > Hi Piotr,
> >
> > I filed two errata against 5100.22: one to have Get-System-Attributes
> authentication semantics clarified, and another to have
> "oauth-authorization-server-uri" and "oauth-authorization-scope" attributes
> added as System Description attributes. The expectation is that a System
> object MUST NOT challenge a Client for authentication. Given that, if a
> System object supported OAuth, it ought to provide the
> "oauth-authorization-server-uri" and "oauth-authorization-scope" attributes
> as System Description attributes.
> >
> > Smith
> >
> > /**
> > Smith Kennedy
> > HP Inc.
> > */
> >
> >> On Oct 7, 2020, at 2:56 PM, Piotr Pawliczek <pawliczek at chromium.org>
> wrote:
> >>
> >> Hi Smith,
> >>
> >> Yes! Thank you very much. This is the problem I run into.
> >> I just forgot to check Get-System-Attributes, so I didn't mention it.
> >>
> >> Piotr
> >>
> >>
> >> On Wed, Oct 7, 2020 at 1:51 PM Kennedy, Smith (Wireless & IPP
> Standards) <smith.kennedy at hp.com> wrote:
> >> Hi there,
> >>
> >> In "IPP Authentication Methods v1.0" on page 19 (
>https://ftp.pwg.org/pub/pwg/informational/bp-ippauth10-20190816-5199.10.pdf#page=19),
> edge 13 says 'Check for "oauth-authorization-server-uri" and
> "oauth-authorization-scope" Printer Description attributes'. If the IPP
> System supported OAuth, then presumably a Client could do a
> Get-System-Attributes operation to get these same two attributes.
> >>
> >> But if the System is allowed to respond with an authentication
> challenge (similar to Get-User-Printer-Attributes but not similar to
> Get-Printer-Attributes) then we have a problem because those two OAuth
> attributes can't be acquired by the Client. I cannot tell from the
> definition of "Get-System-Attributes" in IPP System v1.0 (
>http://ftp.pwg.org/pub/pwg/candidates/cs-ippsystem10-20191122-5100.22.pdf#page=70)
> whether a System object is allowed to challenge a Client for authentication
> in response to a Get-System-Attributes operation request.
> >>
> >> Piotr, did I capture your "chicken-and-egg" concerns here?
> >>
> >> Smith
> >>
> >> /**
> >> Smith Kennedy
> >> HP Inc.
> >> */
> >>
> >>> On Oct 7, 2020, at 2:16 PM, Michael Sweet via ipp <ipp at pwg.org> wrote:
> >>>
> >>> Piotr,
> >>>
> >>> > On Oct 7, 2020, at 4:08 PM, Piotr Pawliczek via ipp <ipp at pwg.org>
> wrote:
> >>> >
> >>> > Hi,
> >>> >
> >>> > I am trying to figure out how to implement oauth authentication for
> the IPP System (e.g.: needed to send the Get-Printers request). I cannot
> find any references to oauth authorization in the document "IPP System
> Service v1.0 (SYSTEM)". Is there any plan to describe oauth authentication
> on the level of IPP System?
> >>>
> >>> OAuth happens at the HTTP level, so the IPP Authentication Methods
> v1.0 document applies to all IPP services, not just printing.
> >>>
> >>> ________________________
> >>> Michael Sweet
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> ipp mailing list
> >>> ipp at pwg.org> >>> https://www.pwg.org/mailman/listinfo/ipp> >>
> >
>> ________________________
> Michael Sweet
>>>>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20201009/f52f92ec/attachment.html>