[IPP] Questions regarding IPP and oAuth

[IPP] Questions regarding IPP and oAuth

Jeremy Leber jeremy.leber at lexmark.com
Wed Nov 16 18:34:49 UTC 2016 

Hi All,

I could use some clarification on the proper way to use OAuth with IPP,
given the following scenario:

I have an IPP endpoint that requires verification of the client's identify
and validation of the client's authorization before printing a job.  The
client has obtained an OAuth token that will be used for this purpose.

When implementing this, should the implementor assume that IPP allows and
expects OAuthv2 tokens to be included in the HTTP header (as would be the
case for any other HTTP request)?

If this IS the case, does the system expect any other user authentication
information in the IPP request itself?

As an implementor, when implementing an IPP service with OAuth, are the
following assumptions correct?

   - uri-authentication-supported MUST contain 'oauth' if OAuthv2 is
   supported
   - oauth-authorization-server-uri MUST contain the OAuthv2 authorization
   URI to be used to authorize the user if uri-authentication-supported
   contains 'oauth'
   - The users actual OAuthv2 token MUST be supplied in the HTTP Header
   Authorization line as a Bearer Token per the Oauth RFC
      - The IPP service will/may authorize access to the printer/device
      using the supplied OAuthv2 token
   - access-oauth-token and access-oauth-uri are only used to access a
   Document on behalf of the user to be processed by the service not for
   printer/device access itself

And a few extra questions:

   - Has any discussion or consideration been had regarding using ID tokens
   to represent the job owner (i.e. the requesting-user-name)?
   - If the authentication process using SAML or OpenID Connect, it may
   retrieve a JWT or SAML Assertion which contains the user's identity, has
   any discussion been had about the benefits or pitfalls or delvierying the
   JWT/Assertions as the identity instead of a simple requesting-user-name?


Sorry for the lengthy questions... would love to get some quick feedback
from the group.

Thanks!
Jeremy

*Jeremy Leber*
Area Owner, Network Firmware Development

*O*  +1 859 825-4505
jeremy.leber at lexmark.com

<http://www.lexmark.com/>
www.lexmark.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20161116/6b12431f/attachment.html>

More information about the ipp mailing list