More OAuth/OpenID changes for the scheduler:

- Instead of treating the bearer token as a JWT, use the userinfo endpoint
  (via cupsOAuthGetUserId) to get the user information and (as a side-effect)
  validate the bearer token.
- Set the verified AuthType when get have a valid token.
- Support OAuth group files relative to the cupsd.conf file.

Author: michaelrsweet

scheduler/auth.c

@@ -710,7 +710,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
   else if (!strncmp(authorization, "Bearer ", 7))
   {
     // OAuth/OpenID authorization using JWT bearer tokens...
-    cups_jwt_t	*jwt;			// JWT decoded from bearer token...
+    cups_jwt_t	*jwt;			// JWT user information
     const char	*sub,			// Subject/user ID
 		*name,			// Real name
 		*email;			// Email address
@@ -724,35 +724,22 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
       authorization = bearer;		// Use the cookie value for authorization
 
     // Decode and validate the JWT...
-    if ((jwt = cupsJWTImportString(authorization, CUPS_JWS_FORMAT_COMPACT)) == NULL)
+    if ((jwt = cupsOAuthGetUserId(OAuthServer, OAuthMetadata, authorization)) == NULL)
     {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to import JWT Bearer token: %s", cupsGetErrorString());
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to get user information from bearer token: %s", cupsGetErrorString());
       cupsCopyString(con->autherror, cupsGetErrorString(), sizeof(con->autherror));
       return;
     }
-    else if (!cupsJWTHasValidSignature(jwt, OAuthJWKS))
-    {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "JWT Bearer token signature is bad.");
-      cupsCopyString(con->autherror, "Invalid JWT signature.", sizeof(con->autherror));
-      cupsJWTDelete(jwt);
-      return;
-    }
-    else if (cupsJWTGetClaimNumber(jwt, CUPS_JWT_EXP) < time(NULL))
-    {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "JWT Bearer token is expired.");
-      cupsCopyString(con->autherror, "Expired JWT.", sizeof(con->autherror));
-      cupsJWTDelete(jwt);
-      return;
-    }
     else if ((sub = cupsJWTGetClaimString(jwt, CUPS_JWT_SUB)) == NULL)
     {
-      cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing subject name in JWT Bearer token.");
+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Missing subject name in user information.");
       cupsCopyString(con->autherror, "Missing subject name.", sizeof(con->autherror));
       cupsJWTDelete(jwt);
       return;
     }
 
     // Good JWT, grab information from it and return...
+    con->type         = CUPSD_AUTH_BEARER;
     con->autherror[0] = '\0';
     con->password[0]  = '\0';
 

scheduler/auth.h

@@ -10,7 +10,7 @@
  */
 
 #include <pwd.h>
-#include <cups/jwt.h>
+#include <cups/oauth.h>
 
 
 /*

scheduler/conf.c

@@ -3698,7 +3698,8 @@ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
       * OAuthGroup NAME FILENAME
       */
 
-      char *filename;			/* Filename on line */
+      char	temp[1024],			/* Temporary filename */
+		*filename;			/* Filename on line */
 
       for (filename = value; *filename; filename ++)
       {
@@ -3709,6 +3710,13 @@ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
       while (*filename && isspace(*filename & 255))
         *filename++ = '\0';
 
+      if (*filename != '/')
+      {
+        // Convert relative filename to CUPS_SERVERROOT/filename
+        snprintf(temp, sizeof(temp), "%s/%s", ServerRoot, filename);
+        filename = temp;
+      }
+
       if (*filename && !access(filename, R_OK))
       {
         if (!cupsdAddOAuthGroup(value, filename) && (FatalErrors & CUPSD_FATAL_CONFIG))

scheduler/env.c

@@ -1,18 +1,14 @@
 /*
  * Environment management routines for the CUPS scheduler.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2025 by OpenPrinting.
  * Copyright © 2007-2016 by Apple Inc.
  * Copyright © 1997-2006 by Easy Software Products, all rights reserved.
  *
  * Licensed under Apache License v2.0.  See the file "LICENSE" for more
  * information.
  */
 
-/*
- * Include necessary headers...
- */
-
 #include "cupsd.h"