DMTF
Warning when using basic auth mode
While the library should still allow using basic auth mode, I think we should put up a warning when it is in use recommending to users that they use session auth if at all possible for a few reasons;
- Performance - Assuming that implementations are following best practices for passwords and using things like Argon2, Bcrypt, or PBKDF2 and that they are running on embedded processors on top of these expensive algorithms, then reauthenticating on each and every request can get quiet expensive performance wise.
- Security - Basic auth sends the credentials on each request and maintains a copy in memory which could result in the credentials being read in flight or in place given any other security issues.
I would use something like the urllib3 warning about insecure connections as a template, i.e. allowing it to be turned off with explicit code if end users really do have a need to use basic auth, but in general I think we should be guiding them to session auth which has a very wide support base.
11/21: After reviewing the spec, we do see that there is language in place that recommends that clients use session auth over basic auth. Having a warning message that borrows the same/similar language from the specification would be good here.
Some reference text:
Note: The IETF has highlighted security concerns with HTTP Basic authentication. While HTTPS is required for the usage of HTTP Basic authentication, there are other concerns implementers need to be aware of that RFC7617 documents. This functionality can be restricted or disabled with the HTTPBasicAuth property in the AccountService resource.
For improved performance and security, a client should use the session management interface to create a Redfish login session.
