Using both Basic auth and Session auth in get uri request

AMI_Mani
Tuna

AMI

Posts: 175

Using both Basic auth and Session auth in get uri request Mar 24, 2021 14:17:23 GMT

Quote

Post by AMI_Mani on Mar 24, 2021 14:17:23 GMT

Hi,
As per Session authentication, for creating session we have below dteial

Shall not require a client that uses HTTP Basic authentication to create a session

So if user post request with Basic auth and Username, password in request body to create session(POST /redfish/v1/SessionService/Sessions), it should throw bad request from Redfish server.
Please correct me if I'm wrong
If user gives request with Basic authentication and Session token also for get uri, do we need to return bad request or authenticate by checking one by one authentication method(if one authentication is incorrect)
Do we have any priority between Basic authentication and Session authentication?
Please clarify

Thanks,
Mani

mraineri
Administrator

Posts: 1,047

Using both Basic auth and Session auth in get uri request Mar 24, 2021 15:39:20 GMT

Quote

Post by mraineri on Mar 24, 2021 15:39:20 GMT

With the way I interpret that wording, I don't see a client providing a Basic Authentication header when performing a POST to /redfish/v1/SessionService/Sessions as a bad request; it's certainly not useful, but I don't see a need to reject the request. Rather, the intent of that line is to ensure a service does not reject the request in the absence of the Basic Authentication header.

I think there is certainly room for clarity though. As you've also pointed out, we don't discuss what happens when the client provides both the Basic Authentication header and the session token header. My personal preference would be to avoid assigning a priority though, since if we add additional authentication methods, that can become difficult to manage. We will need to discuss this more and update the specification.

AMI_Mani
Tuna

AMI

Posts: 175

Using both Basic auth and Session auth in get uri request Mar 24, 2021 17:44:56 GMT

Quote

Post by AMI_Mani on Mar 24, 2021 17:44:56 GMT

Thanks for reply.

So if client provide Basic auth details to POST /redfish/v1/SessionService/Sessions, we can create session based on username, password in request body irrespective of Basic auth details in request(Assume Basic auth details is incorrect for POST /redfish/v1/SessionService/Sessions and request body has correct username, password, we can ignore basic authentication failure and create session)

We need to discard basic authentication in POST /redfish/v1/SessionService/Sessions request.

Please discuss more and update specification accordingly for providing both Basic Authentication header and the session token header use case

Thanks,
Mani

josephreynolds1
Guppy

Posts: 61

Using both Basic auth and Session auth in get uri request Mar 25, 2021 15:12:45 GMT

Quote

Post by josephreynolds1 on Mar 25, 2021 15:12:45 GMT

For reference, the OpenBMC BMCWeb Redfish implementation authenticates Redfish session in a fixed sequence. It checks for XTOKEN before Basic auth. The code is here: github.com/openbmc/bmcweb/blob/master/include/authorization.hpp#L246
Whether that is correct or not, I do not know.