cups icon indicating copy to clipboard operation
cups copied to clipboard

Published 20 hours ago verified publisher icon OpenPrinting

OAuth Server and Default Callback Support

Open michaelrsweet opened this issue 3 years ago • 7 comments

This bug is a placeholder for adding OAuth server support to cupsd and figuring out the right default callbacks on different platforms.

michaelrsweet avatar Sep 13 '21 17:09 michaelrsweet

Related to issue #100 which adds the basic client callback support in libcups.

michaelrsweet avatar Sep 13 '21 17:09 michaelrsweet

Okay so by authorization you mean when we open the localhost:631 it asks for username and password of the machine there we have to add authorization?

ShivanshCharak avatar Mar 01 '23 19:03 ShivanshCharak

@ShivanshCharak No, this is to integrate support for using OAuth/OpenID with CUPS - on the client side to open a browser window to authorize access, and on the server (cupsd) side to "introspect" the access token to get the authorized user name.

In short, an alternative to the usual username + password stuff.

michaelrsweet avatar Mar 02 '23 11:03 michaelrsweet

It's easier to manage from security perspective by allowing having a single identity per employee and auditing (SAML is a good example, think about controlling the paper type and color/b&w centrally in that case). OpenID Connect is usually for public services authentication such as Google, Facebook, etc., I don't think it's mandatory for such project.

yarons avatar Mar 02 '23 11:03 yarons

@michaelrsweet okay so you mean by using openid we have to do Authorization by poping up the window there we have to give our detail like email or password and by using tge system will give us access

ShivanshCharak avatar Mar 03 '23 06:03 ShivanshCharak

@ShivanshCharak I appreciate the enthusiasm!

We are finalizing some OAuth things over in the Printer Working Group now, and I hope to post an initial document for discussion this week (I'll add a link here).

Aside from the logistics of what bits of OAuth/OpenID to support, there are also a bunch of security things to think about in implementation to prevent arbitrary programs from collecting access tokens.

michaelrsweet avatar Mar 07 '23 15:03 michaelrsweet

OK, so I've been noodling some things for how to implement this:

  • [ ] Add a secure Authorization header store - encrypted files that require a login password (via PAM) to "unlock" with some additional entropy, tied to host, to support OAuth and Basic headers (value would be Base64URL-encoded - "prefix.value-hash.value" where prefix and password are hashed to make an encryption key to encrypt/decrypt the value and value hash)
  • [ ] Also support a CUPS_HTTP_AUTHORIZATION environment variable to specify the Authorization: header to use for non-interactive usage
  • [ ] Add a command (cupscfg?) to manage the encrypted store
  • [ ] Add cupsd support for OAuthServer URI directive and AuthType Bearer value to cupsd.conf, with requirement for OpenID/RFC 8414 metadata and JWT usage so that tokens can be introspected locally

For GUI applications, the CPDB UI will need to handle bringing up the OAuth authorization page and collecting the bearer token.

michaelrsweet avatar Apr 05 '24 21:04 michaelrsweet