SessionAuth in HostInterface Spec 1.3.0 | Redfish Specification Forum

devadathvijay
Minnow

Posts: 1

SessionAuth in HostInterface Spec 1.3.0 Jul 13, 2021 13:49:36 GMT

Quote

Post by devadathvijay on Jul 13, 2021 13:49:36 GMT

Hi,

In HostInterface Spec 1.2.0 it is mentioned that,
"The session associated with the auto-generated credentials shall not timeout or expire."

but in HostInterface Spec 1.3.0, section under which the above note is given is deprecated(Credential generation and management for use by firmware and OS kernel).
HostInterface Spec 1.3.0 defines new method (Credential Bootstrapping) to authenticate communication in HostInterfaces. This section doesn't have any note about SessionAuth.

Q's:

1. If a redfish implementation is following HI Spec-1.3.0, should the implementation support SessionAuth through HostInterface?

2. If the Client is creating a session using an BootStrapCredential account, should it be expired like normal sessions, or should it be expired only on Host Reset?

Thanks in advance,
Devadath Vijay

mraineri
Administrator

Posts: 1,132

SessionAuth in HostInterface Spec 1.3.0 Jul 13, 2021 14:09:57 GMT devadathvijay likes this

Quote

Post by mraineri on Jul 13, 2021 14:09:57 GMT

For 1: Yes, that would be expected.
For 2: Yes, the session would expire like normal sessions.

Feedback from the industry regarding the delivery of credentials via UEFI variables has largely been negative, which is why it was deprecated in 1.3.0 in favor of the newer method.

igork
Minnow

Posts: 21

SessionAuth in HostInterface Spec 1.3.0 Sept 7, 2021 18:51:26 GMT

Quote

Post by igork on Sept 7, 2021 18:51:26 GMT

Hi,
I have some questions to clarify regarding SessionAuth.
According to Redfish HI spec SessionAuth method is used to send UserName and Password only once.
It is done to make it more secure. Since only SessionId used during BIOS BMC communication
But if session is expired then we cannot use old SessionId and new session has to be created.
In that case BIOS should send credentials itself which compromise the whole idea of Session.
Thank you,
Igor

mraineri
Administrator

Posts: 1,132

SessionAuth in HostInterface Spec 1.3.0 Sept 7, 2021 19:38:08 GMT

Quote

Post by mraineri on Sept 7, 2021 19:38:08 GMT

There's no limitation to the number of times you can pass a username and password to the manager to create a session. If the session expires, you can perform a POST to the SessionCollection again with the bootstrap credentials to create a new session with a session token.

Is there text you can point me to that says you can only do this once? I cannot find such text in the specification.

igork
Minnow

Posts: 21

SessionAuth in HostInterface Spec 1.3.0 Sept 7, 2021 20:12:34 GMT

Quote

Post by igork on Sept 7, 2021 20:12:34 GMT

We have Basic Authentication and Session Authentication.
If we have to send the credentials several time during boot it is mostly the same as we use Basic Authentication.
The main difference between those two methods is to send the credentials only once at the beginning and then use SessionId.

mraineri
Administrator

Posts: 1,132

SessionAuth in HostInterface Spec 1.3.0 Sept 9, 2021 11:41:47 GMT

Quote

Post by mraineri on Sept 9, 2021 11:41:47 GMT

Yes, that's entirely possible. Depending on how frequent UEFI is interacting with the BMC, it might need to send credentials again to establish a new session. However, if UEFI is consistently interacting with the BMC, let's say at least one Redfish operation every 10 seconds, then I would expect the session to remain open for the entire execution of UEFI.