benfrancis
commented
1 year ago Following up from the Profile call today. If the BasicSecurityScheme usage here is only intended to refer to HTTP Basic Auth only and RFC7235 only allows credentials to provided in an Authorization header then my comment above is a moot point because other ways of providing the credentials are not possible anyway.
FWIW I re-checked the EventSource and WebSocket APIs and whilst you definitely can't manually set an Authorization header (e.g. to include an OAuth2/Bearer token), I'm technically wrong that requests can't include HTTP Authentication credentials. Both APIs have a credentials mode which can send HTTP Authentication credentials along with the request, but there's no way to provide those credentials via the API. The credentials can therefore only be sent if they have already been cached by the browser, which will only work in certain limited circumstances (which probably aren't particularly useful for WoT use cases).
Anyway, I retract my comment since it probably makes little difference in practice. Sorry for the churn.
mlagally
In Issue #6 we noted some missing details around the parameters for the "basic" security scheme that this PR tries to address:
We also haven't said anything about proxies in the profiles spec, but the current text does not disallow them that I can see.
Preview | Diff