v3: Should presence of tokenValue in profile take precedence over user and password?

[t1m0thyj]

Question: If a profile in zowe.config.json has both tokenValue and user/password defined, which should take precedence? Please read the context below and react to this issue with an emoji:

• 👍 if you think tokenValue should take precedence
• 👎 if you think user and password should take precedence

Current Behavior In Zowe v2, the behavior is different between Zowe CLI (and SDKs) and Zowe Explorer. Zowe CLI gives precedence to user and password. They must be removed from the profile for tokenValue to take effect. Zowe Explorer gives precedence to tokenValue instead.

Expected Behavior In Zowe v3, we could make this behavior consistent between CLI and Explorer. Since it is a new major version, breaking changes to the order of precedence are allowed in accordance with semver. It has been suggested by some users (see https://github.com/zowe/imperative/issues/1008) that tokenValue should have precedence.

[gejohnston]

When considering your votes on a change in the order of precedence of authentication, keep the following concern in mind.

User/password were given top precedence to accommodate the following scenario. Your site is using APIML with token authentication (with your token stored in your base profile). However, 2 of your 10 services are not integrated yet with APIML. Thus you must use user/password with those 2 services. You put user/password on the profiles for those 2 individual services. Those 2 services will have both a token (from your base profile) and user/password (from the service profile). It is only because user/password take precedence over tokens that you can connect directly to those 2 services, while the other 8 services only have an APIML token and connect through APIML.

If the order were changed to have token take precedence, then an APIML token would be passed directly to the 2 direct-to-service apps. That authentication would fail and you would have no way to connect to those 2 services.

I think that any solution to accommodate all scenarios will require a more elaborate implementation beyond simply changing the authentication order of precedence. The potential user impact of such changes is another reason why a complete solution should be targeted for V3.

[t1m0thyj]

Discussed with the team on today's standup - here are some additional concerns to keep in mind when voting, thanks @gejohnston and @zFernand0 for mentioning them 🙂

We also need to consider certificates if we make changes to the order of precedence. Currently the order is as follows: (1) User/password, (2) Token, (3) Certificate

If the desired order of precedence varies for different use cases, perhaps we could add a setting to zowe.config.json files that would allow users to define the order. For example:

"authTypePriority": ["token", "basic", "cert"]

[adam-wolfe]

I think it is safe to say that no change is planned in this regard for Zowe V3. Allowing users to specify an order of precedence is likely the safest answer and could be added without introducing breaking changes.