IETF Logo Mail Archive

[IPP] Prototyping experience for IPP OAuth Extensions v1.0 (OAUTH)

Michael Sweet via ipp <ipp@pwg.org> Thu, 20 June 2024 17:17 UTC

Received: by ietfa.amsl.com (Postfix) id 29595C14F6A3; Thu, 20 Jun 2024 10:17:35 -0700 (PDT)
Delivered-To: ietfarch-ipp-archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288C0C14F5F9 for <ietfarch-ipp-archive@ietfa.amsl.com>; Thu, 20 Jun 2024 10:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.107
X-Spam-Level:
X-Spam-Status: No, score=-8.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_FAIL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pwg.org header.b="ir41U1/w"; dkim=pass (1024-bit key) header.d=pwg.org header.b="A0FYqrNn"; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=msweet.org header.b="hHKKZ59n"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WmqptytC2dPq for <ietfarch-ipp-archive@ietfa.amsl.com>; Thu, 20 Jun 2024 10:17:30 -0700 (PDT)
Received: from mail.pwg.org (mail.pwg.org [172.104.19.21]) by ietfa.amsl.com (Postfix) with ESMTP id BD5F7C14F603 for <ipp-archive2@ietf.org>; Thu, 20 Jun 2024 10:17:30 -0700 (PDT)
Received: by mail.pwg.org (Postfix, from userid 1002) id 69897D301; Thu, 20 Jun 2024 17:17:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 69897D301
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pwg.org; s=default; t=1718903849; bh=7/ras0W7ZLthGdPU9fMkctq8CfR5ON+OlSi19gT5Vvg=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=ir41U1/wF0HrmHym6MHTgtHBVhDYfiEOcjtyQjWZgy54b4RRRqqZ5QobXJMlcPmET yHH8Fcc+DQaIwLXH07NScRCi4JIC7i16fz4ifroMBHTNx10iQZKf+GUFK3Ur+j+WMn H7bhVzuMR8DSzoEeaKiXEVGgX3BUJtTe014pt1gw=
Received: from mail.pwg.org (localhost [IPv6:::1]) by mail.pwg.org (Postfix) with ESMTP id 0F2381C9E; Thu, 20 Jun 2024 17:17:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 0F2381C9E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=pwg.org; s=default; t=1718903848; bh=7/ras0W7ZLthGdPU9fMkctq8CfR5ON+OlSi19gT5Vvg=; h=Date:To:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=A0FYqrNnTYg6uGkYhNGP3aV6f6Z9I+4ikgALuA4huucM5TRCMHTqGQj4ejxfik0Z0 7+b66k4c4J033bjF4hyGJS0EZsSUuDvPchf5+uk1WATiOuJWazvV/Dl8n9PGS7YPKg t4HKXpkXTRLwO6ltdAoFhEoBO+D/4hf/uzPYHTFc=
X-Original-To: ipp@pwg.org
Delivered-To: ipp@pwg.org
Received: by mail.pwg.org (Postfix, from userid 1002) id 3C4F53A8F; Thu, 20 Jun 2024 17:17:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 3C4F53A8F
Authentication-Results: mail.pwg.org; dkim=pass (1024-bit key) header.d=msweet.org header.i=@msweet.org header.b="hHKKZ59n"
Received: from mail.msweet.org (mail.msweet.org [173.255.209.91]) by mail.pwg.org (Postfix) with ESMTPS id 498AD26F0 for <ipp@pwg.org>; Thu, 20 Jun 2024 17:17:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.pwg.org 498AD26F0
Received: from smtpclient.apple (cbl-66-186-76-47.vianet.ca [66.186.76.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.msweet.org (Postfix) with ESMTPSA id 16FC880445; Thu, 20 Jun 2024 17:17:21 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.msweet.org 16FC880445
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=msweet.org; s=default; t=1718903841; bh=UpmoAe65NNKTkTvjk7fkM2AFB4rEvidXN/F2uvUVE8c=; h=From:Date:Subject:To:From; b=hHKKZ59npzzF1sZpgegov/Mg1Xp0MZ3FPZdiLGTWzRCimIqha8wjAUtqHuX/hSD23 LXEEoixssiX6L7VUDQ48sC/L/HWiUvuYfhwu1210fbNWTpQr8YdW+Yvkg6gWRLkjcQ BKhIRwFiH4VrLdWwTzP7BLAWKPanhteHkD2xFFlM=
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
Date: Thu, 20 Jun 2024 13:17:09 -0400
Message-Id: <8E716007-62CE-41A6-BFE7-255BE47519AF@msweet.org>
To: PWG IPP Workgroup <ipp@pwg.org>
X-Mailer: Apple Mail (2.3774.600.62)
Subject: [IPP] Prototyping experience for IPP OAuth Extensions v1.0 (OAUTH)
X-BeenThere: ipp@pwg.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: ISTO-PWG Internet Printing Protocol workgroup discussion forum <ipp.pwg.org>
List-Unsubscribe: <https://www.pwg.org/mailman/options/ipp>, <mailto:ipp-request@pwg.org?subject=unsubscribe>
List-Archive: <http://www.pwg.org/pipermail/ipp/>
List-Post: <mailto:ipp@pwg.org>
List-Help: <mailto:ipp-request@pwg.org?subject=help>
List-Subscribe: <https://www.pwg.org/mailman/listinfo/ipp>, <mailto:ipp-request@pwg.org?subject=subscribe>
From: Michael Sweet via ipp <ipp@pwg.org>
Reply-To: ISTO-PWG Internet Printing Protocol workgroup discussion forum <ipp@pwg.org>
Cc: Michael Sweet <msweet@msweet.org>
Content-Type: multipart/mixed; boundary="===============3807758025423194678=="
Errors-To: ipp-bounces@pwg.org
Sender: ipp <ipp-bounces@pwg.org>

All,

This messages serves as notice of prototyping of the IPP OAuth Extensions v1.0 (OAUTH) specification at:

    https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20230814.pdf

Implementation has been progressing in multiple projects and (at this point) I can say that what remains is outside the scope of the IPP specification and entirely OAuth/OpenID-specific for the "Resource Server" authorization that the IPP Printer needs to implement for validation.

Code/status:

- CUPS v2.5: https://github.com/OpenPrinting/cups
  - (MERGING) Base OAuth/JWT/X.509 support, client authorization support
  - (PENDING) OAuth server authorization support
- libcups v3.0: https://github.com/OpenPrinting/libcups
  - (DONE) Base OAuth/JWT/X.509 support, client authorization support
- mOAuth v2.0: https://github.com/michaelrsweet/moauth
  - (MOSTLY DONE) OAuth/OpenID Authorization Server for testing
- PAPPL v2.0: https://github.com/michaelrsweet/pappl
  - (IN PROGRESS) OAuth client/server authorization support
- cups-local v3.0: https://github.com/OpenPrinting/cups-local
  - (WAITING-FOR-PAPPL) OAuth client authorization
- cups-sharing v3.0: https://github.com/OpenPrinting/cups-sharing
  - (WAITING-FOR-PAPPL) OAuth client/server authorization

Both cups-local and cups-sharing depend on PAPPL for their OAuth support, which in turn depends on CUPS/libcups for the base OAuth support.

Prototyping Experience/Issues:

- X.509 Validation of CA-Signed Certificates
  - Installing CA-signed certs on printers needs work (ACME-IOT or similar)
- OpenID Authorization Servers are far more consistent than OAuth servers
  - Lack of RFC 8414 metadata support for common OAuth implementations (Github, others)
    - CUPS implementation tries both metadata paths and then has a backup for Github
  - RFC 7636 PKCE code_challenge/verifier vs. OpenID nonce vs. no additional protection during authorization
    - CUPS implementation detects authorization requirements via metadata
- Implementing well-known/authorized list of OAuth servers is probably optimistic:
  - Amazon and Microsoft OpenID solutions (at least) require you to setup/provision your own server, which will have a unique FQDN for your organization's domain (so no single standard URL)
  - Think we need to reword the guidance here to have the administrator populate a list of acceptable Authorization Server URLs that are used by the client
  - This list could be dynamically generated via DHCP option (needs registration) and/or DNS-SD lookup for the organization domain

We'll discuss this during today's conference call...

________________________
Michael Sweet


_______________________________________________
ipp mailing list
ipp@pwg.org
https://www.pwg.org/mailman/listinfo/ipp

v2.30.2 | Report a Bug | By Email | System Status