[IPP] Add "oauth-authorization-resource" attribute?

[IPP] Add "oauth-authorization-resource" attribute?

Michael Sweet msweet at msweet.org
Wed Nov 9 14:39:14 UTC 2022 

Smith,

> On Nov 8, 2022, at 11:56 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
> ...
> If an Authentication Service supports a certificate or some other more trustable artifact as a resource identifier, perhaps one provisioned to the printer at the time the printer is registered, that could improve the situation, right? I thought we discussed that at the August F2F.

Yes, for authenticating the System/Printer/Proxy to the auth server - that's one of the things MS does for their Universal Print Service.

The point of the Client passing the printer-uri/system-uri when doing token exchange is to limit the potential exposure of credentials.  The Client will have already validated the Printer's X.509 certificate when it connects to do a Get-Printer-Attributes, and then the authorization server can validate that the System/Printer/Proxy has registered *that* printer-uri/system-uri.  That combined with the Client validating the oauth-authorization-server-uri value will minimize the likelihood of a breach.

> Regardless, I think that it would be better for the client to use the value provided by a purpose-defined but abstract attribute like "oauth-authorization-resource-id" instead of instructing or guiding clients to use "printer-uuid" or "printer-uri". The value held by "oauth-authorization-resource-id" could be a URI or a UUID (printer-uuid or some other UUID).

There is no way to validate the value, so its use in securing the authorization token would be lost.

With the URI, the Client resolves the address, connects to the service, negotiates a secure connection via TLS, and is able to validate the server-side X.509 certificate against a trusted root CA (no self-signed certs if you are using OAuth!)

________________________
Michael Sweet

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221109/255c2f37/attachment.sig>

More information about the ipp mailing list