Hi, As per Session authentication, for creating session we have below dteial
Shall not require a client that uses HTTP Basic authentication to create a session
So if user post request with Basic auth and Username, password in request body to create session(POST /redfish/v1/SessionService/Sessions), it should throw bad request from Redfish server. Please correct me if I'm wrong If user gives request with Basic authentication and Session token also for get uri, do we need to return bad request or authenticate by checking one by one authentication method(if one authentication is incorrect) Do we have any priority between Basic authentication and Session authentication? Please clarify
With the way I interpret that wording, I don't see a client providing a Basic Authentication header when performing a POST to /redfish/v1/SessionService/Sessions as a bad request; it's certainly not useful, but I don't see a need to reject the request. Rather, the intent of that line is to ensure a service does not reject the request in the absence of the Basic Authentication header.
I think there is certainly room for clarity though. As you've also pointed out, we don't discuss what happens when the client provides both the Basic Authentication header and the session token header. My personal preference would be to avoid assigning a priority though, since if we add additional authentication methods, that can become difficult to manage. We will need to discuss this more and update the specification.
So if client provide Basic auth details to POST /redfish/v1/SessionService/Sessions, we can create session based on username, password in request body irrespective of Basic auth details in request(Assume Basic auth details is incorrect for POST /redfish/v1/SessionService/Sessions and request body has correct username, password, we can ignore basic authentication failure and create session)
We need to discard basic authentication in POST /redfish/v1/SessionService/Sessions request.
Please discuss more and update specification accordingly for providing both Basic Authentication header and the session token header use case