williammartin
commented
6 years ago This commit seems to have introduced the MUST requirement on TLS at all times. This seems like a breaking change that we should revert.
That said, the previous text,
If authentication is used, the Service Broker MUST authenticate the request using the predetermined authentication mechanism, securing communications via TLS, and MUST return a
401 Unauthorizedresponse if the authentication fails.
suggests that if any authentication scheme (basic or otherwise) is used, TLS MUST also be used. It seems weird to conflate the concepts of platform to broker authentication and transport level security; though I can understand why one may want to ensure the latter in the case of the former, it shouldn't be required by the specification.
This commit first introduced text about the optionality of TLS, and later was followed by two commits introducing bearer tokens, and rewording, that required TLS during the authentication step. Later however, this TLS requirement was extended to all authentication mechanisms in this commit
My suggestion is that we remove the requirement of TLS on basic authentication, but keep the requirement for bearer tokens, as they were introduced together (and are required by https://tools.ietf.org/html/rfc6750) and therefore not breaking.
In fact in the following PR, this was called out as a breaking change.
In the platform to service broker auth section, there seems to be some contradictory text:
vs.
So, is it recommended or required?