[IPP] RFC: "oauth-authorization-scope (1setOf name(MAX))" Printer Description
attribute
Michael Sweet msweet at apple.com 
Tue May 21 12:53:38 UTC 2019

All,

During some side discussions regarding OAuth 2.0, I realized that we currently
have no way for a Printer to tell a Client which OAuth scope(s) to request for
printing - currently a Client would just request the default list which
sometimes means all scopes and sometimes a restrictive scope that doesn't convey
any rights. Scopes can be thought of as a rough equivalent of user groups and
are used to specify access roles or convey specific access rights, so if an
Authorization Server is used to control 
access to many different services (and not just to a printing service, as is the
case for most federated OpenID services) we want to be able to ask for the right
scope(s).

The following is my proposed solution...


oauth-authorization-scope (1setOf name(MAX))

The "oauth-authorization-scope" Printer Description attribute provides an
ordered list of OAuth 2.0 scopes that SHOULD be used in an authorization
request.  If the attribute lists more than one scope name, the first name
provides the least access, e.g., the "End User" role in IPP, while the last name
provides the most access, e.g., the "Administrator" role in IPP.  Clients
SHOULD provide the full list of scopes in the initial authorization request and
only prune the list if the OAuth 2.0 Authorization Server returns the
"invalid_scope" error.


Registration template:

Printer Description attributes:                                 Reference
------------------------------                                  ---------
oauth-authorization-scope (1setOf name(MAX))                    [IPP20190521]

_________________________________________________________
Michael Sweet, Senior Printing System Engineer