Open michaelrsweet opened 3 years ago
Related to issue #100 which adds the basic client callback support in libcups.
Okay so by authorization you mean when we open the localhost:631 it asks for username and password of the machine there we have to add authorization?
@ShivanshCharak No, this is to integrate support for using OAuth/OpenID with CUPS - on the client side to open a browser window to authorize access, and on the server (cupsd) side to "introspect" the access token to get the authorized user name.
In short, an alternative to the usual username + password stuff.
It's easier to manage from security perspective by allowing having a single identity per employee and auditing (SAML is a good example, think about controlling the paper type and color/b&w centrally in that case). OpenID Connect is usually for public services authentication such as Google, Facebook, etc., I don't think it's mandatory for such project.
@michaelrsweet okay so you mean by using openid we have to do Authorization by poping up the window there we have to give our detail like email or password and by using tge system will give us access
@ShivanshCharak I appreciate the enthusiasm!
We are finalizing some OAuth things over in the Printer Working Group now, and I hope to post an initial document for discussion this week (I'll add a link here).
Aside from the logistics of what bits of OAuth/OpenID to support, there are also a bunch of security things to think about in implementation to prevent arbitrary programs from collecting access tokens.
OK, so I've been noodling some things for how to implement this:
CUPS_HTTP_AUTHORIZATION
environment variable to specify the Authorization: header to use for non-interactive usagecupsoauth
?) to manage the encrypted store (get/set/clear)OAuthServer URI
directive and AuthType Bearer
value to cupsd.conf, with requirement for OpenID/RFC 8414 metadata and JWT usage so that tokens can be introspected locallyFor GUI applications, the CPDB UI will need to handle bringing up the OAuth authorization page and collecting the bearer token.
This bug is a placeholder for adding OAuth server support to cupsd and figuring out the right default callbacks on different platforms.