Closed mmccool closed 1 year ago
Following up from the Profile call today. If the BasicSecurityScheme
usage here is only intended to refer to HTTP Basic Auth only and RFC7235 only allows credentials to provided in an Authorization
header then my comment above is a moot point because other ways of providing the credentials are not possible anyway.
FWIW I re-checked the EventSource and WebSocket APIs and whilst you definitely can't manually set an Authorization header (e.g. to include an OAuth2/Bearer token), I'm technically wrong that requests can't include HTTP Authentication credentials. Both APIs have a credentials mode which can send HTTP Authentication credentials along with the request, but there's no way to provide those credentials via the API. The credentials can therefore only be sent if they have already been cached by the browser, which will only work in certain limited circumstances (which probably aren't particularly useful for WoT use cases).
Anyway, I retract my comment since it probably makes little difference in practice. Sorry for the churn.
In the long term this should probably just be fixed in the TD specification, or an HTTP binding document. See https://github.com/w3c/wot-thing-description/issues/1781
Profile call on March 232nd: Reviewed and approved to merge.
In Issue #6 we noted some missing details around the parameters for the "basic" security scheme that this PR tries to address:
We also haven't said anything about proxies in the profiles spec, but the current text does not disallow them that I can see.
Preview | Diff