Hi Smith and Mike,
On Wed, Oct 19, 2022 at 3:25 PM Kennedy, Smith (Wireless & IPP Standards) <
smith.kennedy at hp.com> wrote:
> Hi Mike and Piotr,
>> On Oct 19, 2022, at 7:29 AM, Michael Sweet <msweet at msweet.org> wrote:
>> CAUTION: External Email
>> *From: *Michael Sweet <msweet at msweet.org>
> *Subject: **Re: [IPP] IPP OAuth 2.0 question / potential gap: How should
> the Client manage multiple access tokens or realm identities?*
> *Date: *October 19, 2022 at 7:29:57 AM MDT
> *To: *Piotr Pawliczek <pawliczek at google.com>
> *Cc: *"Kennedy, Smith (Wireless & IPP Standards)" <smith.kennedy at hp.com>,
> PWG IPP Workgroup <ipp at pwg.org>, "Jimmy Wu (HE/HIM/HIS)" <
>Jimmy.Wu at microsoft.com>, Pamela Dingle <Pamela.Dingle at microsoft.com>,
> Benjamin Gordon <bmgordon at google.com>
>>> Piotr,
>> On Oct 17, 2022, at 5:49 PM, Piotr Pawliczek <pawliczek at google.com> wrote:
>> Hi Michael and Smith,
>> Regarding the implementation of the client, I would keep two caches:
> 1. access tokens for printers indexed by "printer-uri" (or for IPP Systems
> indexed by "server-uri")
>>> I guess I figured we'd want to "pin" the OAuth server URI and scope with
> the printer/system ("resource") URI...
>>> I think I agree with this but the primary "key" would be the printer-uri,
> and the value / record would need to include the "device" access token
> acquired earlier following token exchange.
>
Yes, it was my thinking. The printer can have only one
"oauth-authorization-server-uri" and it can be queried with
Get-Printer-Attributes (or cached if necessary).
>> 2. access tokens for Authorization Servers indexed by
> "oauth-authorization-server-uri" and "oauth-scope"
>>> This sounds a bit awkward but I agree with this in principle.
>> However, I want to come back to an ambiguity that I still think we need to
> work out. I've attached a use case diagram from the PDF I posted to the
> wiki page.
>> As we have already established, a mobile Client such as a laptop or
> smartphone may discover and interact with multiple printers, and those
> printers may be in different "contexts" or "domains" (e.g. at "work" and at
> "home"). It is possible that all the printers the Client encounters may not
> list unique hostnames for "oauth-authorization-server-uri" on a per-context
> or per-domain basis; both the "work" and "home" contexts may both be served
> by "authz.x.io".
>> That means that the Client is unable to distinguish the different contexts
> using the hostname. If in step 3, the Client doesn't provide an identifier
> for that printer (e.g. certificate or "printer-uuid" or something else
> unique to that printer), "authz.x.io" won't know whether the credentials
> provided in step 3 are legitimate for the "context" that the printer
> belongs to. Waiting until step 6 and potentially returning another HTTP 401
> in step 7, would be a bad user experience, wouldn't it?
>> So what value should the Client be providing in step 20 of the big
> sequence diagram (ipp-authentication-6-http-oauth2.pdf
> <https://github.com/istopwg/ippsample/files/9427540/ipp-authentication-6-http-oauth2.pdf>) so
> that the printer / context can be conveyed? Did we ever come to consensus
> on that?
>>>>>>I think that I see the problem. The fact that the user authorizes
successfully does not guarantee access to the printer. Let's say that the
Authorization Server is an OpenID client and redirects the user to Google
OpenID (or something similar). Let's assume that I have two accounts (my
private one and one used for work). If I log into my private account, I
don't get access to printers at work and vice versa, If I log in to my work
account at home, I don't get access to my home printers (assuming here that
all printers use the same Authorization Server). Although, the similar
problem exists when a user logs in to other systems with OAuth. But in case
of other systems, the user can usually see what account he is
currently logged in. And IPP Client does not show anything like that to the
user. On the other hand, we cannot know if the user has access rights to
the printer until the user completes the authentication procedure.
Is this the issue you are thinking about?
> When the client communicates with a printer the cache 1 is used (when the
> printer requires OAuth). If the printer is missing there or the current
> access token is rejected the client queries
> "oauth-authorization-server-uri" and "oauth-scope" from the printer and
> tries to match an entry in the cache 2. If the entry is found the client
> does TokenExchange (in the background) to get the new access token for the
> printer (and saves the new access token in the cache 1). If there is no
> matching entry in the cache 2, the client must go through the authorization
> procedure to get an access token for the authorization server and given
> scope ("oauth-authorization-server-uri" and "oauth-scope"). The
> authorization procedure here means standard Authorization Code flow with
> PKCE (opening the internet browser, letting the user to authenticate etc).
> Both these caches are kept in the context of the current OS user session
> (they are wiped out when the user closes the session).
>>> I think we need to support persistence beyond the current session, at
> least for "system" accounts and other background processes that might need
> access even after the user has logged out (accounting, monitoring, general
> printing, etc.) But for normal user sessions I agree the cached tokens can
> go away.
>> ________________________
> Michael Sweet
>>>>>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221025/cc2a3749/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.png
Type: image/png
Size: 38651 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221025/cc2a3749/attachment.png>
