Page MenuHomePhabricator

Client Developer makes unauthenticated sample API calls
Open, HighPublic

Description

"As a Client Developer, I want to make some API calls without providing an OAuth 2.0 client ID, so that I can test how the API calls work."

Most API calls should include an OAuth 2.0 Authorization: Bearer <xxxx> header.

Idempotent GET and HEAD API calls can be made without an OAuth 2.0 Authorization headers. (All API endpoints that use GET and HEAD should be idempotent.)

API calls without an OAuth Authorization header are subject to per-IP rate limiting.

PUT, DELETE, POST, PATCH and any other write methods are not allowed without an OAuth Authorization: Bearer <xxxx> header. If they're received, they should return a 401 Unauthorized HTTP status.

Event Timeline

eprodromou reassigned this task from eprodromou to hnowlan.Tue, Jun 30, 4:17 PM
eprodromou triaged this task as High priority.
eprodromou added a subscriber: apaskulin.

Hugh, this is a configuration issue for Envoy; it needs to bounce non-GET/HEAD requests that don't have an Authorization: header.

It came out of discussions with @apaskulin about workflows in T249776.