Understanding and Utilizing the JWT Feature in CUPS

[edivanteixeira]

Hi everyone,

I’ve been exploring the CUPS codebase and recently came across the implementation of JSON Web Tokens (JWT) in the source. I noticed several functions and definitions related to JWT, such as cupsJWTSign(), cupsJWTImportString(), and cupsJWTHasValidSignature(), among others.

Background

From what I understand, this JWT feature could potentially allow CUPS to support modern authentication mechanisms, such as OAuth2 and OpenID Connect, by validating tokens issued by an Identity Provider (IdP) like Azure AD. This seems particularly useful for integrating CUPS into environments where Single Sign-On (SSO) is in use, enhancing both security and user management.

Questions

I’d like to start a discussion to better understand the following:

1. Use Cases and Examples:

   • What are the intended use cases for JWT within CUPS?
   • Are there any example configurations or documentation available that demonstrate how to enable and use JWT authentication in a typical CUPS setup?

2. Integration with SSO Systems:

   • How can CUPS be configured to work with JWT tokens issued by systems like Azure AD or other OAuth2-compliant IdPs?
   • What is the recommended approach for passing JWT tokens to CUPS, and how does CUPS handle token validation?

3. Configuration Details:

   • Are there specific settings in cupsd.conf or elsewhere that need to be adjusted to activate JWT support?
   • How does CUPS manage JWT claims for authorization, and what is the scope of customization in this area?

4. Security Considerations:

   • What are the security best practices when using JWT with CUPS, especially regarding token handling and signature verification?

Seeking Guidance

I’m looking for guidance from those who may have experience with this feature or from the maintainers who can provide insight into its design and intended usage. Any pointers to documentation, examples, or advice on setting up a secure and functional JWT-based authentication system with CUPS would be greatly appreciated.

Thanks in advance for your help!

Best regards,
Edivan Teixeira

[michaelrsweet]

So you're a bit ahead of the curve at the moment. OAuth/OpenID support is a CUPS 2.5 feature and we are in the process of getting everything in place. There is nothing you can really test/play with at the moment beyond the unit tests in the "testoauth" program, but that won't help you setup OAuth with CUPS or cupsd.

Once we do have OAuth support added to cupsd we'll also have documentation for it... :)

[edivanteixeira]

Michael, thank you very much for the response. I ended up following a path where I developed a Proxy in front to forward to the local CUPS. This way, I can set up filters and URLs with private IDs as if they were virtual printers. It will be a lot of work to implement the protocol, but I believe it will work. Thank you very much for the response, and I hope you're doing well. Em ter., 13 de ago. de 2024, 13:02, Michael R Sweet < ***@***.***> escreveu:

…

So you're a bit ahead of the curve at the moment. OAuth/OpenID support is a CUPS 2.5 feature and we are in the process of getting everything in place. There is nothing you can really test/play with at the moment beyond the unit tests in the "testoauth" program, but that won't help you setup OAuth with CUPS or cupsd. Once we *do* have OAuth support added to cupsd we'll also have documentation for it... :) — Reply to this email directly, view it on GitHub <#1032 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMO46HA7RS4SYXWUAYVZJ3ZRIUZPAVCNFSM6AAAAABMMUOYE2VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTAMZSG44TGNQ> . You are receiving this because you authored the thread.Message ID: ***@***.***>