[IPP] Updated draft of IPP OAuth Extensions v1.0 posted

[IPP] Updated draft of IPP OAuth Extensions v1.0 posted

Michael Sweet msweet at msweet.org
Fri Jun 6 02:35:17 UTC 2025 

Smith,

The resource server (Printer/System) indeed provides the resource metadata URL in the WWW-Authenticate header.  The example in section 5.1:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata=
  "https://resource.example.com/.well-known/oauth-protected-resource"

The resource metadata at that URL provides the authorization server(s) and scope(s) for the resource(s) on the server, e.g. (from section 3.2):

{
   "resource":
     "https://resource.example.com",
   "authorization_servers":
     ["https://as1.example.com",
      "https://as2.example.net"],
   "bearer_methods_supported":
     ["header", "body"],
   "scopes_supported":
     ["profile", "email", "phone"],
   "resource_documentation":
     "https://resource.example.com/resource_documentation.html"
}


> On Jun 5, 2025, at 9:08 PM, Kennedy, Smith (Wireless & IPP Standards) <smith.kennedy at hp.com> wrote:
> 
> Hi Mike, 
> 
> Thanks for the update to your draft.
> 
> After the call, I was reading RFC 9728 and in this section there is a sequence diagram that seems to indicate that it is the resource server itself, not the authorization server, that is providing the resource metadata. If the "resource server" is the server providing the resource the client is trying to access, in the IPP case that is the IPP Printer or System (or Job or Document), so it would be the Printer hosting the Protected Resource Metadata, not some other server / host? I'm guessing this is a generic HTTP / OAuth mechanism for providing what IPP can also provide using "oauth-authorization-scopes" and "oauth-authorization-server-uri"? 
> 
>> https://www.rfc-editor.org/rfc/rfc9728.html#name-use-of-www-authenticate-for
> 
> Or am I reading this incorrectly?
> 
> Smith
> 
> /**
>     Smith Kennedy
>     HP Inc.
> */ 
> 
>> On Jun 4, 2025, at 9:43 AM, Michael Sweet via ipp <ipp at pwg.org> wrote:
>> 
>> CAUTION: External Email
>> 
>> All,
>> 
>> I have posted yet another stable/LCRC draft of the IPP OAuth Extensions v1.0 (OAUTH) to:
>> 
>>    https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20250603.docx
>>    https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20250603.pdf
>>    https://ftp.pwg.org/pub/pwg/ipp/wd/wd-ippoauth10-20250603-rev.pdf
>> 
>> This draft clarifies usage of metadata for choosing extensions like PKCE and OpenID nonce, and adds implementation guidance WRT (auto/manual) client (pre)registration.
>> 
>> ________________________
>> Michael Sweet
>> 
>> _______________________________________________
>> ipp mailing list
>> ipp at pwg.org
>> https://www.pwg.org/mailman/listinfo/ipp
>> 
> 

________________________
Michael Sweet

More information about the ipp mailing list