Re: [IPP] RFC: "oauth-authorization-scope (1setOf name(MAX))" Printer Description attribute
Michael Sweet via ipp <ipp@pwg.org> Mon, 24 June 2019 18:01 UTC
Return-Path: <ipp-bounces@pwg.org>
X-Original-To: ietfarch-ipp-archive@ietfa.amsl.com
Delivered-To: ietfarch-ipp-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D390D1206F0 for <ietfarch-ipp-archive@ietfa.amsl.com>; Mon, 24 Jun 2019 11:01:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, MAILING_LIST_MULTI=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zdkonJL2Dfic for <ietfarch-ipp-archive@ietfa.amsl.com>; Mon, 24 Jun 2019 11:01:20 -0700 (PDT)
Received: from mail.pwg.org (mail.pwg.org [50.116.7.199]) by ietfa.amsl.com (Postfix) with ESMTP id 2D83912016A for <ipp-archive2@ietf.org>; Mon, 24 Jun 2019 11:01:19 -0700 (PDT)
Received: by mail.pwg.org (Postfix, from userid 1002) id 04DD8CB4B; Mon, 24 Jun 2019 18:01:18 +0000 (UTC)
Received: from mail.pwg.org (localhost [IPv6:::1]) by mail.pwg.org (Postfix) with ESMTP id 096D23D83; Mon, 24 Jun 2019 18:01:15 +0000 (UTC)
X-Original-To: ipp@pwg.org
Delivered-To: ipp@pwg.org
Received: by mail.pwg.org (Postfix, from userid 1002) id 4BBFC3D86; Mon, 24 Jun 2019 18:01:13 +0000 (UTC)
Received: from ma1-aaemail-dr-lapp02.apple.com (ma1-aaemail-dr-lapp02.apple.com [17.171.2.68]) by mail.pwg.org (Postfix) with ESMTPS id AF94623E3 for <ipp@pwg.org>; Mon, 24 Jun 2019 18:01:12 +0000 (UTC)
Received: from pps.filterd (ma1-aaemail-dr-lapp02.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp02.apple.com (8.16.0.27/8.16.0.27) with SMTP id x5OHvJaM004103 for <ipp@pwg.org>; Mon, 24 Jun 2019 11:01:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=mime-version : content-transfer-encoding : content-type : sender : subject : from : in-reply-to : date : cc : message-id : references : to; s=20180706; bh=I2Lhs9JaDqH8lemlhXLUuJ6UpWPnVQKs+pUYCuRFWj8=; b=Uir+GyhP4s7Hqpm/LrB+Q92EmEkpvHsSkkJdvM4F8c7SzCNy+rwfK4q22xW+9kBgNs7I cLMgc62Rl3kmvF5ketEEAirA5INBRKMIFdReHE7RqNqbHl/ULKWQk0C7kqNrt+aMkhHh I/I5VndJktBQEkzSHdilWmk02O3ciU5TzaF+gVaG2IHE1tKI672LLypHlSpQXeSSsge0 M7x+J/9iYV9fS5uYha7GOztDekHT9zop5cgonsXq9/Rg5TI4IHHpKo/pwlEtpJVJ/bfG SgE0Fu2Yvj/IyP24464Ejo6goTf/JR9veTA7gc2mbpSdJJjbZ207tooZiLjkOKZzOZKN QA==
Received: from ma1-mtap-s02.corp.apple.com (ma1-mtap-s02.corp.apple.com [17.40.76.6]) by ma1-aaemail-dr-lapp02.apple.com with ESMTP id 2t9h0scsk9-16 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <ipp@pwg.org>; Mon, 24 Jun 2019 11:01:11 -0700
MIME-version: 1.0
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by ma1-mtap-s02.corp.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPS id <0PTM00FY37DQLF30@ma1-mtap-s02.corp.apple.com> for ipp@pwg.org; Mon, 24 Jun 2019 11:01:10 -0700 (PDT)
Received: from process_milters-daemon.nwk-mmpp-sz13.apple.com by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) id <0PTM00F0071WTY00@nwk-mmpp-sz13.apple.com>; Mon, 24 Jun 2019 11:01:09 -0700 (PDT)
X-Va-A:
X-Va-T-CD: d85c53284efb60e0df0ce97d4ae3cbc7
X-Va-E-CD: 1290de16577e64a6005c0598daafaeb1
X-Va-R-CD: 6539134bb02f0a7d72b586cccb7f12a1
X-Va-CD: 0
X-Va-ID: 9e6862fd-11dc-4146-8acb-b8a486acdc5c
X-V-A:
X-V-T-CD: d85c53284efb60e0df0ce97d4ae3cbc7
X-V-E-CD: 1290de16577e64a6005c0598daafaeb1
X-V-R-CD: 6539134bb02f0a7d72b586cccb7f12a1
X-V-CD: 0
X-V-ID: 705760c0-9a4b-495b-9c40-3cae9a896a9d
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-06-24_12:,, signatures=0
Received: from [17.235.21.86] (unknown [17.235.21.86]) by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.4.20190507 64bit (built May 7 2019)) with ESMTPSA id <0PTM007767DGGW20@nwk-mmpp-sz13.apple.com>; Mon, 24 Jun 2019 11:00:54 -0700 (PDT)
In-reply-to: <227F9530-BE88-46C8-AD60-0D12148A521C@apple.com>
Date: Mon, 24 Jun 2019 14:00:52 -0400
Message-id: <95F2C581-D77D-4C61-A6AB-2C7101CDAFFC@apple.com>
References: <227F9530-BE88-46C8-AD60-0D12148A521C@apple.com>
To: Michael Sweet <msweet@apple.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-06-24_12:, , signatures=0
Cc: PWG IPP Workgroup <ipp@pwg.org>
Subject: Re: [IPP] RFC: "oauth-authorization-scope (1setOf name(MAX))" Printer Description attribute
X-BeenThere: ipp@pwg.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: ISTO-PWG Internet Printing Protocol workgroup discussion forum <ipp.pwg.org>
List-Unsubscribe: <https://www.pwg.org/mailman/options/ipp>, <mailto:ipp-request@pwg.org?subject=unsubscribe>
List-Archive: <http://www.pwg.org/pipermail/ipp/>
List-Post: <mailto:ipp@pwg.org>
List-Help: <mailto:ipp-request@pwg.org?subject=help>
List-Subscribe: <https://www.pwg.org/mailman/listinfo/ipp>, <mailto:ipp-request@pwg.org?subject=subscribe>
From: Michael Sweet via ipp <ipp@pwg.org>
Reply-To: Michael Sweet <msweet@apple.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ipp-bounces@pwg.org
Sender: ipp <ipp-bounces@pwg.org>
[Apologies for the delay in posting a follow-up after the last IPP WG concall...]
All,
The IPP workgroup reviewed this registration during the May 23, 2019 conference call. The consensus was to register this new attribute as-is. The following is a summary of the discussions during the concall and via email:
- Q: Don't OAuth scopes control access to specific functionality and not access to a
specific service?
A: Yes, and that is what is proposed here, for example the generic End User printing
functionality could have the scope name "printing", while Operator functionality
has the scope name "print-operator", etc.
- Q: How does this work with Get-User-Printer-Attributes?
A: Complicated, OAuth provides access authorization but does not necessarily
provide identity information that could be used to lookup policy - might
need to default to a generic/guest policy
(also see the answer to the previous question - the scope might map to the
granted policy)
- Q: How does a Printer get registered with an Authorization Server to do
introspection?
A: Currently that is an implementation detail - there is no Resource Server
registration method defined for OAuth 2.0 (yet).
> On May 21, 2019, at 8:53 AM, Michael Sweet via ipp <ipp@pwg.org> wrote:
>
> All,
>
> During some side discussions regarding OAuth 2.0, I realized that we currently have no way for a Printer to tell a Client which OAuth scope(s) to request for printing - currently a Client would just request the default list which sometimes means all scopes and sometimes a restrictive scope that doesn't convey any rights. Scopes can be thought of as a rough equivalent of user groups and are used to specify access roles or convey specific access rights, so if an Authorization Server is used to control
> access to many different services (and not just to a printing service, as is the case for most federated OpenID services) we want to be able to ask for the right scope(s).
>
> The following is my proposed solution...
>
>
> oauth-authorization-scope (1setOf name(MAX))
>
> The "oauth-authorization-scope" Printer Description attribute provides an
> ordered list of OAuth 2.0 scopes that SHOULD be used in an authorization
> request. If the attribute lists more than one scope name, the first name
> provides the least access, e.g., the "End User" role in IPP, while the last name
> provides the most access, e.g., the "Administrator" role in IPP. Clients
> SHOULD provide the full list of scopes in the initial authorization request and
> only prune the list if the OAuth 2.0 Authorization Server returns the
> "invalid_scope" error.
>
>
> Registration template:
>
> Printer Description attributes: Reference
> ------------------------------ ---------
> oauth-authorization-scope (1setOf name(MAX)) [IPP20190521]
>
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer
>
> _______________________________________________
> ipp mailing list
> ipp@pwg.org
> https://www.pwg.org/mailman/listinfo/ipp
_________________________________________________________
Michael Sweet, Senior Printing System Engineer
_______________________________________________
ipp mailing list
ipp@pwg.org
https://www.pwg.org/mailman/listinfo/ipp
- [IPP] RFC: "oauth-authorization-scope (1setOf nam… Michael Sweet via ipp
- Re: [IPP] RFC: "oauth-authorization-scope (1setOf… Michael Sweet via ipp