[IPP] WG Last Call: IPP Authentication Methods

[IPP] WG Last Call: IPP Authentication Methods

Kennedy, Smith (Wireless & Standards Architect) smith.kennedy at hp.com
Fri Mar 1 20:38:20 UTC 2019


I've updated Section 4 like so - thoughts?

4. Client Authentication Methods
Authentication is the process of establishing some level of trust that an entity is who or what they are claiming to be. A Printer uses the “authenticated identity” or the “most authenticated user” [RFC8011] to determine whether to allow the requesting Client access to capabilities such as operations, resources, and attributes. A Printer specifies its supported authentication methods via several IPP attributes. The “uri-authentication-supported” attribute [RFC8011] indicates the authentication method used for a corresponding URI in “printer-uri-supported” [RFC8011]. The “xri-authentication” member attribute of “printer-xri-supported” [RFC3380] specifies the same corresponding values, if the Printer implements the “printer-xri-supported” attribute. Each of the authentication method keywords currently registered for “uri-authentication-supported” is described in its own subsection below.

In cases where the Printer is not directly involved in the authentication process, such as when OAuth2 is used, or when the Printer depends on an external authentication service, the Printer might not be directly aware of the User's identity following authentication. In these cases, the Printer could still need to acquire the User's identity in order to accurately document the User's identity in the Job Object's Job Status attributes, or to support IPP operations such as Get-User-Printer-Attributes [IPPGUPA] that depend on the User's identity to provide meaningfully filtered operation responses.

When handing an IPP Job Creation request, the Printer will need to populate the Job's “job-originating-user-name” Job Status attribute. In cases where the Printer relies upon an external authentication service, it will need to acquire a meaningfully printable value from the authentication service.

The Printer or the Job might also need to store a token or identifier (UUID, JWT, etc.) that represents the User's authenticated identity or authentication session, in cases where the Printer depends on an external authorization service for print policy evaluation. This token is considered by IPP to be an internal implementation detail, and is not available to Clients via IPP, as discussed in [RFC8011] section 5.3.6.

One authentication system not described below is SAML (Security Assertion Markup Language)[SAMLCORE]. As of this writing, none of the standard SAML bindings to HTTP directly support IPP. SAML can indirectly support OAuth2 via a SAML / OAuth2 gateway. The bridge typically uses the SAML 2.0 assertion as an OAuth 2.0 Bearer token. Specific instructions for how to configure this depends on the SAML and OAuth2 system implementations, and is beyond the scope of this document.



> On Mar 1, 2019, at 1:05 PM, Kennedy, Smith (Wireless & Standards Architect) via ipp <ipp at pwg.org> wrote:
> 
> Signed PGP part
> Thanks for mentioning this detail, Bill! I am fine with adding that the purpose of authentication is to acquire a token to be used for access authorization. But after re-reading the definition of "job-originating-user-name" from RFC 8011, I'm not sure I agree that the value of the "job-originating-user-name" attribute itself is necessarily the token to be used. Notice the second paragraph, which talks about the Printer maintaining an "internal originating user ID of some form", which is "used for authorization checks" but isn't publicly visible:
> 
> 5.3.6.  job-originating-user-name (name(MAX))
>    This REQUIRED attribute contains the name of the End User that
>    submitted the Print Job.  The Printer sets this attribute to the most
>    authenticated printable name that it can obtain from the
>    authentication service over which the IPP operation was received.
>    Only if such a name is not available does the Printer use the value
>    supplied by the Client in the "requesting-user-name" operation
>    attribute of the Job Creation request (see Sections 5.4.2, 5.4.3,
>    and 9).
> 
>    Note: The Printer needs to keep an internal originating user ID of
>    some form, typically as a credential of a principal, with the Job.
>    Since such an internal attribute is implementation dependent and not
>    of interest to Clients, it is not specified as a Job attribute.  This
>    originating user ID is used for authorization checks (if any) on all
>    subsequent operations.
> 
> So the value of "job-originating-user-name" could be some printable name string, but that value isn't itself necessarily the token that would be used by the Printer's "backend" implementation to engage with a particular authentication service. And that token has no IPP Job Status attribute and is considered by IPP to be an internal implementation detail.
> 
> Smith
> 
> 
> 
>> On Mar 1, 2019, at 12:21 PM, wamwagner at comcast.net <mailto:wamwagner at comcast.net> wrote:
>> 
>> Both Michael and Smith make good points, and I think it is mainly a question of how far Smith wants to extend the scope of the document. From his earlier message, it appears that he has  added more information on Authorization. However, his comment that the purpose of Authentication  in a printer is primarily to support Authorization features is quite to the point. Indeed,  the text might point out that the extended authentication mechanisms discussed relate to obtaining the value of the IPP attribute job-originating-user-name, which is used by the printer for authorization checks. That is,
>>    The Printer sets this attribute to the most
>>    authenticated printable name that it can obtain from the
>>    authentication service over which the IPP operation was received.
>>    Only if such a name is not available does the Printer use the value
>>    supplied by the Client in the "requesting-user-name" operation
>>    attribute of the Job Creation request.
>> 
>> Of course, from Michael’s point, discussion of printer-implemented authorization  in this document is probably limited to  restating what is in STD92: using  the most authenticated printable name for authorization and IPP responses to authentication failures.
>> 
>> Thanks,
>> Bill Wagner
>> 
>> 
>> From: Kennedy, Smith (Wireless & Standards Architect) <mailto:smith.kennedy at hp.com>
>> Sent: Friday, March 1, 2019 10:49 AM
>> To: Michael Sweet <mailto:msweet at msweet.org>
>> Cc: William A Wagner <mailto:wamwagner at comcast.net>; Rizzo, Christopher <mailto:Christopher.Rizzo at xerox.com>; Rick Yardumian <mailto:RYardumian at ciis.canon.com>; PWG IPP Workgroup <mailto:ipp at pwg.org>
>> Subject: Re: [IPP] WG Last Call: IPP Authentication Methods
>> 
>> How about this:
>> 
>> 3.4. Out of Scope
>> 
>> The following are considered out of scope for this document:
>> Definition of new HTTP authentication methods
>> Definition of how specific authorization mechanisms are used by an IPP Printer. The Internet Printing Protocol/1.1 [STD92] defines authorization roles for end users, operators, and administrators, but does not define how a Printer or an authorization mechanism maps those roles to authenticated users.
>> 
>> 
>> 
>> 
>> On Feb 28, 2019, at 5:00 PM, Michael Sweet <msweet at msweet.org <mailto:msweet at msweet.org>> wrote:
>> 
>> Bill,
>> 
>> I think you make a good point.
>> 
>> Smith,
>> 
>> I think you can make a general statement about authorization, something along the lines of:
>> 
>> "Specific authorization mechanisms are outside the scope of this document. The Internet Printing Protocol/1.1 [STD92] defines authorization roles for end users, operators, and administrators, but does not define how a Printer maps those roles to authenticated users."
>> 
>> 
>> > On Feb 28, 2019, at 5:50 PM, wamwagner--- via ipp <ipp at pwg.org <mailto:ipp at pwg.org>> wrote:
>> >
>> > Smith,
>> >
>> > Sorry, my confusion continues. Your new Authorization example may be valid, but it seems odd to me that someone would have an account in a printer but not have authority to print at all. Conditional authority, restricting use to certain times or restricting color, or quantity, etc. would be more realistic, but that is at the IPP level and does not appear to be addressed in this specification.
>> >
>> > The title is Authentication Methods, and although I may have missed it, I do not think that it does much with authorization (at least not by the printer), which would occur after successful Authentication. Perhaps the Authorization use case should be put in the out of scope section?
>> > Thanks, Bill W.
>> >
>> >
>> >
>> > From: Rizzo, Christopher via ipp
>> > Sent: Thursday, February 28, 2019 4:12 PM
>> > To: Kennedy, Smith (Wireless & Standards Architect); Rick Yardumian
>> > Cc: PWG IPP WG Reflector
>> > Subject: Re: [IPP] WG Last Call: IPP Authentication Methods
>> >
>> > This update looks good to me.
>> >
>> > Thanks,
>> > Chris
>> >
>> > Christopher Rizzo
>> > Xerox Corporation
>> > GDG/Discovery/Advance Technology
>> > 26600 SW Parkway Ave.
>> > Wilsonville, OR 97070-9251
>> > Phone: (585) 314-6936
>> > Email: Christopher.Rizzo at xerox.com <mailto:Christopher.Rizzo at xerox.com>
>> >
>> > "The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."
>> > -Maurice Wilkes, Memoirs of a Computer Pioneer
>> >
>> > From: "Kennedy, Smith (Wireless & Standards Architect)" <smith.kennedy at hp.com <mailto:smith.kennedy at hp.com>>
>> > Date: Thursday, February 28, 2019 at 12:36 PM
>> > To: Christopher Rizzo <Christopher.Rizzo at xerox.com <mailto:Christopher.Rizzo at xerox.com>>, Rick Yardumian <RYardumian at ciis.canon.com <mailto:RYardumian at ciis.canon.com>>
>> > Cc: PWG Workgroup <ipp at pwg.org <mailto:ipp at pwg.org>>
>> > Subject: Re: [IPP] WG Last Call: IPP Authentication Methods
>> >
>> > Thanks for the feedback Chris! I also received this feedback from Canon's Rick Yardumian (CC'ed). In my LCRC draft, I've resolved this issue by rewriting 3.3.2 to more meaningfully describe an authorization failure.
>> >
>> > Here's the rewrite. Any objections or suggestions?
>> >
>> > Harry is also visiting Andy's office and wants to print from his laptop. He uses his laptop to discover available printers, and selects one listed. The printer is configured to limit access to only authorized users.
>> >
>> > The printer challenges the laptop for authentication, and the laptop presents an authentication dialog to Harry. Harry has an account, and enters the account's username and password. The printer accepts these credentials, but that account is not authorized to access that printer. Harry's laptop shows a notification dialog expressing this to Harry. Harry clicks “OK” and looks for a pencil.
>> >
>> > Smith
>> >
>> >
>> >
>> > On Feb 28, 2019, at 12:33 PM, Rizzo, Christopher <Christopher.Rizzo at xerox.com <mailto:Christopher.Rizzo at xerox.com>> wrote:
>> >
>> > Just curious, but section 3.3 Exceptions of this document has sections 3.3.1 and 3.3.2 which are pretty much exact duplicates of each other, exception being Lisa vs. Harry. Was this intentional?
>> >
>> > Thanks,
>> > Chris
>> >
>> >
>> > Christopher Rizzo
>> > Xerox Corporation
>> >
>> > GDG/Discovery/Advance Technology
>> >
>> > 26600 SW Parkway Ave.
>> >
>> > Wilsonville, OR 97070-9251
>> >
>> > Phone: (585) 314-6936
>> >
>> > Email: Christopher.Rizzo at xerox.com <mailto:Christopher.Rizzo at xerox.com>
>> >
>> > "The realization came over me with full force that a good part of the remainder of my life was going to be spent in finding errors in my own programs."
>> > -Maurice Wilkes, Memoirs of a Computer Pioneer
>> >
>> > On 1/17/19, 4:00 PM, "ipp on behalf of Kennedy, Smith (Wireless & Standards Architect)" <ipp-bounces at pwg.org <mailto:ipp-bounces at pwg.org> on behalf of smith.kennedy at hp.com <mailto:smith.kennedy at hp.com>> wrote:
>> >
>> > Greetings,
>> >
>> > This message begins the IPP workgroup Last Call of the IPP Authentication Methods best practice draft, available at:
>> >
>> > https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117.odt <https://protect-us.mimecast.com/s/QCrsCn5XpXTDmDQ0iJ1m_N?domain=ftp.pwg.org>
>> > https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117.pdf <https://protect-us.mimecast.com/s/HISOCo2KqKhYvYJNTV4CIm?domain=ftp.pwg.org>
>> > https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippauth-20190117-rev.pdf <https://protect-us.mimecast.com/s/GAoKCpYK0KioAoPrTGLYMd?domain=ftp.pwg.org>
>> >
>> > Please respond with any feedback or comments by doing a "reply all" to this message.
>> >
>> > This last call will end on January 31, 2019 at 10pm PT.
>> >
>> > Cheers,
>> > Smith
>> >
>> > /**
>> > Smith Kennedy
>> > HP Inc.
>> > */
>> >
>> > _______________________________________________
>> > ipp mailing list
>> > ipp at pwg.org <mailto:ipp at pwg.org>
>> > https://www.pwg.org/mailman/listinfo/ipp <https://protect-us.mimecast.com/s/tmYaCmZ6o6hlWlGwHGZ8k0?domain=pwg.org>
>> >
>> >
>> >
>> > _______________________________________________
>> > ipp mailing list
>> > ipp at pwg.org <mailto:ipp at pwg.org>
>> > https://www.pwg.org/mailman/listinfo/ipp <https://protect-us.mimecast.com/s/tmYaCmZ6o6hlWlGwHGZ8k0?domain=pwg.org>
>> 
>> ________________________
>> Michael Sweet
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190301/d631e2a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://www.pwg.org/pipermail/ipp/attachments/20190301/d631e2a1/attachment.sig>


More information about the ipp mailing list