As stated in "Phase Two - Disable Digest Authentication": of MBS-357:

At some date (to be decided) digest authentication will be disabled. The only forms of authentication support by the web service will be OAuth and basic authentication (over a secure connection).

Basic authentication is still not supported (outside of the OAuth2 token endpoint for client application credentials). If implemented, we should clearly document never to send Basic auth credentials over plain HTTP. If that happens, I think it's a good idea to inform the requester to change their password in the response rather than silently redirect to HTTPS.