Hi Piotr,
> On Oct 25, 2022, at 11:53 AM, Piotr Pawliczek <pawliczek at google.com> wrote:
>> CAUTION: External Email
> Hi Smith and Mike,
>> On Wed, Oct 19, 2022 at 3:25 PM Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com <mailto:smith.kennedy at hp.com>> wrote:
> Hi Mike and Piotr,
>>> On Oct 19, 2022, at 7:29 AM, Michael Sweet <msweet at msweet.org <mailto:msweet at msweet.org>> wrote:
>>>> CAUTION: External Email
>>>> From: Michael Sweet <msweet at msweet.org <mailto:msweet at msweet.org>>
>> Subject: Re: [IPP] IPP OAuth 2.0 question / potential gap: How should the Client manage multiple access tokens or realm identities?
>> Date: October 19, 2022 at 7:29:57 AM MDT
>> To: Piotr Pawliczek <pawliczek at google.com <mailto:pawliczek at google.com>>
>> Cc: "Kennedy, Smith (Wireless & IPP Standards)" <smith.kennedy at hp.com <mailto:smith.kennedy at hp.com>>, PWG IPP Workgroup <ipp at pwg.org <mailto:ipp at pwg.org>>, "Jimmy Wu (HE/HIM/HIS)" <Jimmy.Wu at microsoft.com <mailto:Jimmy.Wu at microsoft.com>>, Pamela Dingle <Pamela.Dingle at microsoft.com <mailto:Pamela.Dingle at microsoft.com>>, Benjamin Gordon <bmgordon at google.com <mailto:bmgordon at google.com>>
>>>>>> Piotr,
>>>>> On Oct 17, 2022, at 5:49 PM, Piotr Pawliczek <pawliczek at google.com <mailto:pawliczek at google.com>> wrote:
>>>>>> Hi Michael and Smith,
>>>>>> Regarding the implementation of the client, I would keep two caches:
>>> 1. access tokens for printers indexed by "printer-uri" (or for IPP Systems indexed by "server-uri")
>>>> I guess I figured we'd want to "pin" the OAuth server URI and scope with the printer/system ("resource") URI...
>> I think I agree with this but the primary "key" would be the printer-uri, and the value / record would need to include the "device" access token acquired earlier following token exchange.
>> Yes, it was my thinking. The printer can have only one "oauth-authorization-server-uri" and it can be queried with Get-Printer-Attributes (or cached if necessary).
>>>>> 2. access tokens for Authorization Servers indexed by "oauth-authorization-server-uri" and "oauth-scope"
>> This sounds a bit awkward but I agree with this in principle.
>> However, I want to come back to an ambiguity that I still think we need to work out. I've attached a use case diagram from the PDF I posted to the wiki page.
>> As we have already established, a mobile Client such as a laptop or smartphone may discover and interact with multiple printers, and those printers may be in different "contexts" or "domains" (e.g. at "work" and at "home"). It is possible that all the printers the Client encounters may not list unique hostnames for "oauth-authorization-server-uri" on a per-context or per-domain basis; both the "work" and "home" contexts may both be served by "authz.x.io <http://authz.x.io>".
>> That means that the Client is unable to distinguish the different contexts using the hostname. If in step 3, the Client doesn't provide an identifier for that printer (e.g. certificate or "printer-uuid" or something else unique to that printer), "authz.x.io <http://authz.x.io>" won't know whether the credentials provided in step 3 are legitimate for the "context" that the printer belongs to. Waiting until step 6 and potentially returning another HTTP 401 in step 7, would be a bad user experience, wouldn't it?
>> So what value should the Client be providing in step 20 of the big sequence diagram (ipp-authentication-6-http-oauth2.pdf <https://github.com/istopwg/ippsample/files/9427540/ipp-authentication-6-http-oauth2.pdf>) so that the printer / context can be conveyed? Did we ever come to consensus on that?
>>>>>>>>> I think that I see the problem. The fact that the user authorizes successfully does not guarantee access to the printer. Let's say that the Authorization Server is an OpenID client and redirects the user to Google OpenID (or something similar). Let's assume that I have two accounts (my private one and one used for work). If I log into my private account, I don't get access to printers at work and vice versa, If I log in to my work account at home, I don't get access to my home printers (assuming here that all printers use the same Authorization Server). Although, the similar problem exists when a user logs in to other systems with OAuth. But in case of other systems, the user can usually see what account he is currently logged in. And IPP Client does not show anything like that to the user. On the other hand, we cannot know if the user has access rights to the printer until the user completes the authentication procedure.
> Is this the issue you are thinking about?
Yes, that is part of it. If a printer I discover using my phone at work supplies "uri-authorization-server-uri" = 'authz.x.io', and so does my printer at home, and the Client in the phone already holds access tokens for both, does the Client in my phone try token exchange with each account it holds an auth token for? If an identifier for the printer were provided in steps 3 and/or 4, (step 3 being unnecessary if already authenticated), then the authz could know the "context" / "domain".
This gets awkward when you get into a SSO situation in an enterprise if the authz isn't unique for that context. If a user selects a different printer at work than one they have used before, they will be forced to re-authenticate since the Client has no way of knowing whether that printer is a member of a context associated with one of the already-logged-in accounts or some different account. So it seems like the "scope" of the context identifier may be a single printer (highly granular access control) or a collection of printers (SSO in an enterprise). That makes me think neither the printer UUID nor a particular X.509 certificate satisfies the scope needs for this "context identifier" unless the identifier comes from further up the certificate chain or something...
Let me know if I lost you on that one. 😊
>>>>>>> When the client communicates with a printer the cache 1 is used (when the printer requires OAuth). If the printer is missing there or the current access token is rejected the client queries "oauth-authorization-server-uri" and "oauth-scope" from the printer and tries to match an entry in the cache 2. If the entry is found the client does TokenExchange (in the background) to get the new access token for the printer (and saves the new access token in the cache 1). If there is no matching entry in the cache 2, the client must go through the authorization procedure to get an access token for the authorization server and given scope ("oauth-authorization-server-uri" and "oauth-scope"). The authorization procedure here means standard Authorization Code flow with PKCE (opening the internet browser, letting the user to authenticate etc).
>>> Both these caches are kept in the context of the current OS user session (they are wiped out when the user closes the session).
>>>> I think we need to support persistence beyond the current session, at least for "system" accounts and other background processes that might need access even after the user has logged out (accounting, monitoring, general printing, etc.) But for normal user sessions I agree the cached tokens can go away.
>>>> ________________________
>> Michael Sweet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221025/ce5a78a9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.png
Type: image/png
Size: 38651 bytes
Desc: not available
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221025/ce5a78a9/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221025/ce5a78a9/attachment.sig>
