[IPP] Add "oauth-authorization-resource" attribute?

[IPP] Add "oauth-authorization-resource" attribute?

Kennedy, Smith (Wireless & IPP Standards) smith.kennedy at hp.com
Wed Nov 30 15:56:44 UTC 2022


Hi Mike,

> On Nov 9, 2022, at 7:39 AM, Michael Sweet <msweet at msweet.org> wrote:
> 
> CAUTION: External Email
> 
> From: Michael Sweet <msweet at msweet.org>
> Subject: Re: [IPP] Add "oauth-authorization-resource" attribute?
> Date: November 9, 2022 at 7:39:14 AM MST
> To: "Kennedy, Smith (Wireless & IPP Standards)" <smith.kennedy at hp.com>
> Cc: PWG IPP Workgroup <ipp at pwg.org>
> 
> 
> Smith,
> 
>> On Nov 8, 2022, at 11:56 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>> ...
>> If an Authentication Service supports a certificate or some other more trustable artifact as a resource identifier, perhaps one provisioned to the printer at the time the printer is registered, that could improve the situation, right? I thought we discussed that at the August F2F.
> 
> Yes, for authenticating the System/Printer/Proxy to the auth server - that's one of the things MS does for their Universal Print Service.
> 
> The point of the Client passing the printer-uri/system-uri when doing token exchange is to limit the potential exposure of credentials.  The Client will have already validated the Printer's X.509 certificate when it connects to do a Get-Printer-Attributes, and then the authorization server can validate that the System/Printer/Proxy has registered *that* printer-uri/system-uri.  That combined with the Client validating the oauth-authorization-server-uri value will minimize the likelihood of a breach.
> 
>> Regardless, I think that it would be better for the client to use the value provided by a purpose-defined but abstract attribute like "oauth-authorization-resource-id" instead of instructing or guiding clients to use "printer-uuid" or "printer-uri". The value held by "oauth-authorization-resource-id" could be a URI or a UUID (printer-uuid or some other UUID).
> 
> There is no way to validate the value, so its use in securing the authorization token would be lost.
> 
> With the URI, the Client resolves the address, connects to the service, negotiates a secure connection via TLS, and is able to validate the server-side X.509 certificate against a trusted root CA (no self-signed certs if you are using OAuth!)

Agree, but I don't think that eliminates the value that "oauth-authorization-resource-id" provides. The value held by "oauth-authorization-resource-id" could be whatever is needed to identify the resource to the Authentication Service. In some cases it may be "printer-uuid" or "printer-uri" or some unique value provisioned to the Printer by the Authentication Service during printer registration. Defining "oauth-authorization-resource-id" means we don't have to provide specific guidance as to what is provided in the OAuth 2.0 requests that require a resource ID to be specified as a parameter.

The Client is still free to compare the elements of "printer-uri" with the fields in the Printer's X.509 TLS certificate.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221130/2598102d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20221130/2598102d/attachment.sig>


More information about the ipp mailing list