Hi Mike,
Thanks for the update to your draft.
After the call, I was reading RFC 9728 and in this section there is a sequence diagram that seems to indicate that it is the resource server itself, not the authorization server, that is providing the resource metadata. If the "resource server" is the server providing the resource the client is trying to access, in the IPP case that is the IPP Printer or System (or Job or Document), so it would be the Printer hosting the Protected Resource Metadata, not some other server / host? I'm guessing this is a generic HTTP / OAuth mechanism for providing what IPP can also provide using "oauth-authorization-scopes" and "oauth-authorization-server-uri"?
https://www.rfc-editor.org/rfc/rfc9728.html#name-use-of-www-authenticate-for
Or am I reading this incorrectly?
Smith
/**
Smith Kennedy
HP Inc.
*/
On Jun 4, 2025, at 9:43 AM, Michael Sweet via ipp <ipp at pwg.org> wrote:
CAUTION: External Email
All,
I have posted yet another stable/LCRC draft of the IPP OAuth Extensions v1.0 (OAUTH) to:
https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20250603.docxhttps://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20250603.pdfhttps://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20250603-rev.pdf
This draft clarifies usage of metadata for choosing extensions like PKCE and OpenID nonce, and adds implementation guidance WRT (auto/manual) client (pre)registration.
________________________
Michael Sweet
_______________________________________________
ipp mailing list
ipp at pwg.orghttps://www.pwg.org/mailman/listinfo/ipp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pwg.org/pipermail/ipp/attachments/20250606/c9fba500/attachment.html>