|
|
Post by rpajak on Sept 26, 2022 9:27:00 GMT
What should be the HTTP status code if the incorrect credentials have been provided in the session creation request body (POST on session collection)?
Should it be 200 or 400 (with appropriate extended error response)?
|
|
|
|
Post by jautor on Sept 26, 2022 14:59:01 GMT
The correct response is `401 Unauthorized`. The specification calls this out in the Status Codes section for use when "Authentication credentials included with this request are missing or invalid."
Jeff
|
|
|
|
Post by rpajak on Sept 27, 2022 5:45:24 GMT
Isn't 401 misleading in this scenario? The 401 response means that request lacks valid authentication credentials for the requested resource, which is not true, because POST on session collection does not require authentication. If service returns 401 it should also send WWW-Authenticate header to inform how to authorize to access the resource. Then, if customer resend the request with valid Basic authentication header (but still the same incorrect username and password in the body) the result will be still 401. Web Browsers will automatically show a popup for username nad password to send e.g Basic authorization header in this case.
|
|
|
|
Post by mraineri on Sept 27, 2022 12:56:39 GMT
While it's true that you do not need authentication headers in the request to POST to the session collection, you do need valid credentials, which are in the body of the request. 401 still applies here since the service is verifying the supplied credentials to either provide access to the client or to reject the request.
We'll certainly need to discuss more about the WWW-Authenticate in the response, because you're correct, that can cause pop-ups in browsers. Is it realistic for a web browser to attempt to create a Redfish session in the first place though? Maybe a browser with a Redfish plug in, but at that point I would expect that sort of software to handle the 401 response from the session creation request.
|
|
