Post by josephreynolds1 on Aug 18, 2020 18:25:23 GMT
I see it now: DSP0266 version 1.9.1, section 13.3 (Authentication) states: > Services: > • Shall support both HTTP Basic authentication and Redfish session login authentication. > • Shall not require a client that uses HTTP Basic authentication to create a session. > • May implement other authentication mechanisms.
In this view, OpenBMC's mTLS implementation is an "other authentication mechanism". I don't need any spec changes for that. OpenBMC has not yet started and is still looking for direction for OAuth.
From customer feedback, there has been a stated desire for password-less authentication. The Redfish Forum is looking to standardize on existing methodologies in this space. Currently there is a desire for adopting OAuth based on the prevalence of its usage in customer environments. The Redfish Forum is open to looking at other solutions in the future if there's a need to add support beyond OAuth.