Smith,
> On Oct 12, 2025, at 5:25 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
>> As you all know, I’m not a cryptographer, but I really can’t imagine how this solution would actually be robust enough to be considered secure. If the file is hosted outside of the device, what prevents the URL from being provided by a device illegitimately?
This is just to identify what the OAuth folks call a "public client". The JSON metadata document needs to be hosted via HTTPS with a CA-signed cert, so for example "https://openprinting.github.io/cups/oauth.json" for a CUPS OAuth client_id. The Authorization Server (and End User) can choose to accept or reject the authorization request using that client_id.
The advantage of this scheme over Dynamic Client Registration is that it is easier to manage/scale for an AS - with DCR you have to generate and keep a registry of clients, and (for example) every CUPS client that uses an AS will have a unique client_id vs. sharing the same client_id for all CUPS clients.
________________________
Michael Sweet