Clarify how authentication works

[tigrannajaryan]

The spec says that authentication works using standard HTTP auth.

However some WebSocket clients don't support setting http request headers (e.g in browser). Do we need to support such clients and if yes how does auth work?

[tigrannajaryan]

I looked a bit into this. The JS clients are unable to set HTTP headers for WebSockets. This may be important if we decide to support Otel JS SDK, which is still an open issue.

If we decide that it is necessary we will need to come up with an alternate auth approach, and in JS WebSocket world it is typically done via URL query params. I suggest that we postpone this for now and if later we decide we want it we can add it as a protocol extension.

For now lets keep the header-based auth.

[tigrannajaryan]

The current state is the following:

• For plain HTTP transport header-based auth works fine.
• For Websocket transport header-based auth cannot be used for some clients (e.g. JS). In this case the implementations are free to use auth via URL query params.
  I think this is sufficient for now. We can close the issue. Any additional ways to do auth can be added to the spec later as additive, non-breaking changes (e.g. if we decide to standardize URL query-based auth).