On behalf of a client we developed a Linux based software for a printer accounting device receiving print jobs from all kinds of clients over network. Due to the device's flexible setup scenarios case-by-case selections of authentication source were required and so internal authentication capabilities of Cups didn't suffice. Thus, we were patching Cups to get a hook for integrating our own script-based authentication.
The patch is simply applied to the sources of Cups version 1.2 prior to compiling it. In cups configuration a new directive ToxaExternalAuthentication is available then pointing to the absolute path of some external script or binary called on each authentication request. The script may select whether user is authenticated or not. As a third result it might instruct Cups to authenticate the user internally.