Basic Authentication Scheme

[kylef]

This pull request extends on the authentication framework (proposed in #4) to provide a base authentication scheme called "Basic".

Dependencies:

• Authentication Framework #4: Authentication Framework

[danielgtaylor]

Seems like this is very similar to the OAuth problem mentioned in the other PR. Basically you have a field that is made up of a constant and some computed value.

[danielgtaylor]

👍 Looks good.

[zdne]

I believe this ought be + Authentication (Basic)

[pksunkara]

+ Authenticated (Basic) to be exact.

[kylef]

This bas been addressed.

[zdne]

Looks good but the #5 (comment)

[zdne]

Ping @kylef this is good to go once https://github.com/apiaryio/api-blueprint-rfcs/pull/5/files#r42629521 is addressed.

[pksunkara]

What exactly are we configuring here? We say properties. But we are actually configuring sample username and sample password. I don't see any mention about the values being an example.

Also, I think we should have a default example username and example password for Basic.

[kylef]

As per the MSON Specification, 2.3.1 Property Member Types, the properties within an MSON object are called "Properties". The wording here reflects that.

These are properties within the authentication scheme's object.

[kylef]

As for the sample/example, I'm not sure I follow. What would the difference between sample and example be?

[pksunkara]

Mention the default values for the properties username and password, then this looks good.

[pksunkara]

My review is done. I have a #5 (comment) which needs to be clarified for this to move forward.

[pksunkara]

Reviewed the latest changes.

[kylef]

@pksunkara I've updated this pull request now.

[pksunkara]

@kylef Are we sure about this? Some users might want to directly use Basic simply like this:

+ Authenticated (Basic)

[kylef]

Yes they can, just because there are no defaults, doesn't mean you can't indicate that a resource/group/action/request example etc supports the basic scheme. It just represents there are not sample credentials available.

You don't need to define a sample username or password to use this scheme.

Does this make sense? Is there something I can add to make this a little clearer?

[pksunkara]

You don't need to define a sample username or password to use this scheme.

I understand and I agree. But we also need to think about the tools which use API Blueprint. Dredd, Documentation and others like them. Let's take the example of Dredd. User uses the Basic directly for an action. But what values will dredd use now when testing the server? If we leave this upto the tools, each one of them will have their own default values and user will start getting overwhelmed. Having a default sample username and password will avoid all this.

[kylef]

I think if there is no sample values, a user should have to supply the value to use at run-time. For example:

$ dredd --user kyle:password

I disagree that we should require services to provide a sample account which is described in the blueprint (and even dictating the default username/password).

/cc @netmilk -- would love to hear your thoughts around this matter.

[w-vi]

Dredd supports basic auth already by supplying the user and password from command line as described above by @kylef and I don't see a reason why we shouldn't keep it that way. I think the mandatory sample account is not necessary. Blueprint doesn't require defaults on anything so why it should all of a sudden require it it doesn't make sense. Sure I would push users to provide values as a convenient way how to do things but not force them to.

[zdne]

👍