[IPP] IPP OAuth 2.0 question / potential gap: How should the Client manage multiple access tokens or realm identities?

[IPP] IPP OAuth 2.0 question / potential gap: How should the Client manage multiple access tokens or realm identities?

Kennedy, Smith (Wireless & IPP Standards) smith.kennedy at hp.com
Wed Oct 19 22:25:43 UTC 2022 

Hi Mike and Piotr,

> On Oct 19, 2022, at 7:29 AM, Michael Sweet <msweet at msweet.org> wrote:
> 
> CAUTION: External Email
> 
> From: Michael Sweet <msweet at msweet.org>
> Subject: Re: [IPP] IPP OAuth 2.0 question / potential gap: How should the Client manage multiple access tokens or realm identities?
> Date: October 19, 2022 at 7:29:57 AM MDT
> To: Piotr Pawliczek <pawliczek at google.com>
> Cc: "Kennedy, Smith (Wireless & IPP Standards)" <smith.kennedy at hp.com>, PWG IPP Workgroup <ipp at pwg.org>, "Jimmy Wu (HE/HIM/HIS)" <Jimmy.Wu at microsoft.com>, Pamela Dingle <Pamela.Dingle at microsoft.com>, Benjamin Gordon <bmgordon at google.com>
> 
> 
> Piotr,
> 
>> On Oct 17, 2022, at 5:49 PM, Piotr Pawliczek <pawliczek at google.com> wrote:
>> 
>> Hi Michael and Smith,
>> 
>> Regarding the implementation of the client, I would keep two caches:
>> 1. access tokens for printers indexed by "printer-uri" (or for IPP Systems indexed by "server-uri")
> 
> I guess I figured we'd want to "pin" the OAuth server URI and scope with the printer/system ("resource") URI...

I think I agree with this but the primary "key" would be the printer-uri, and the value / record would need to include the "device" access token acquired earlier following token exchange.

> 
>> 2. access tokens for Authorization Servers indexed by "oauth-authorization-server-uri" and "oauth-scope"

This sounds a bit awkward but I agree with this in principle.

However, I want to come back to an ambiguity that I still think we need to work out. I've attached a use case diagram from the PDF I posted to the wiki page.

As we have already established, a mobile Client such as a laptop or smartphone may discover and interact with multiple printers, and those printers may be in different "contexts" or "domains" (e.g. at "work" and at "home"). It is possible that all the printers the Client encounters may not list unique hostnames for "oauth-authorization-server-uri" on a per-context or per-domain basis; both the "work" and "home" contexts may both be served by "authz.x.io".

That means that the Client is unable to distinguish the different contexts using the hostname. If in step 3, the Client doesn't provide an identifier for that printer (e.g. certificate or "printer-uuid" or something else unique to that printer), "authz.x.io" won't know whether the credentials provided in step 3 are legitimate for the "context" that the printer belongs to. Waiting until step 6 and potentially returning another HTTP 401 in step 7, would be a bad user experience, wouldn't it?

So what value should the Client be providing in step 20 of the big sequence diagram (ipp-authentication-6-http-oauth2.pdf <https://github.com/istopwg/ippsample/files/9427540/ipp-authentication-6-http-oauth2.pdf>) so that the printer / context can be conveyed? Did we ever come to consensus on that?






>> 
>> When the client communicates with a printer the cache 1 is used (when the printer requires OAuth). If the printer is missing there or the current access token is rejected the client queries  "oauth-authorization-server-uri" and "oauth-scope" from the printer and tries to match an entry in the cache 2. If the entry is found the client does TokenExchange (in the background) to get the new access token for the printer (and saves the new access token in the cache 1). If there is no matching entry in the cache 2, the client must go through the authorization procedure to get an access token for the authorization server and given scope ("oauth-authorization-server-uri" and "oauth-scope"). The authorization procedure here means standard Authorization Code flow with PKCE (opening the internet browser, letting the user to authenticate etc).
>> Both these caches are kept in the context of the current OS user session (they are wiped out when the user closes the session).
> 
> I think we need to support persistence beyond the current session, at least for "system" accounts and other background processes that might need access even after the user has logged out (accounting, monitoring, general printing, etc.)  But for normal user sessions I agree the cached tokens can go away.
> 
> ________________________
> Michael Sweet
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221019/481167e7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.png
Type: image/png
Size: 38651 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221019/481167e7/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221019/481167e7/attachment.sig>

More information about the ipp mailing list