John,
> On Mar 9, 2025, at 9:35 PM, John Madden via ipp <ipp at pwg.org> wrote:
> ...
> "Access Rights: The authenticated user (see Section 9.3) performing
> this operation MUST be an Operator or Administrator of the Printer
> (see Sections 1 and 9.5). Otherwise, the IPP Printer MUST reject the
> operation and return ’client-error-forbidden’,
> ’client-error-not-authenticated’, or ’client-error-not-authorized’
> as appropriate."
>> In the case where the requesting-user-name is used, does the printer attempt to use this as the authenticated user? As a Windows user token is not passed to the printer, how are access rights determined?
The "authenticated user" is more commonly known as the "most authenticated user", where the "requesting-user-name" might be used as identity information if there is otherwise no authentication.
More commonly a HTTP authentication scheme is used - Basic, Negotiate (Kerberos), or Bearer (OAuth/OpenID). Windows doesn't support Digest, and we are only now starting to see OAuth implementations.
IPP also supports HTTP Digest (CUPS-based systems support this) and can also use TLS client certificate authentication, although I'm not aware of any deployments of that for IPP...
________________________
Michael Sweet