API client created with read only access to the management API
All requests from this API client regardless of the destination URL except GET will be unauthorized with 401 error code and not being logged
Sample steps used to reproduce issue:
1. generate request to oauth token endpoint and get an access token returned
$ curl -k -X POST -H "Authorization: Basic NTUyZTg3YzI0ZjMyNTdhOTVjMWQyNWUzY2JiNDg4MGU6OTE4YTUzNzI1ZTJlYTQ5ODAxYzQzNTI0OGU5MzU5NTM3ODc0YjQ5OTc3YjYwMTM3NWJmNDQ1xxxxx==" https://api.symcncashell2.luminatesite.com/v1/oauth/token
{"access_token":"333a17a7-2b3f-4687-81bc-3e11dd7d583d","expires_in":3600,"scope":"email profile","token_type":"bearer"}
2. Use this access token with POST method to access Application, and see the 401 status response
$ curl -k -X POST -H "lum-api-token: 333a17a7-2b3f-4687-81bc-3e11dd7d583d" https://LuninateMgmtRO.symcncashell2.luminatesite.com/
< HTTP/1.1 401 Unauthorized
< Date: Wed, 10 Nov 2021 10:15:51 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Luminate Security | Error</title>
Read only APIs require the GET method; POST methods are typically used to write data to the back end application, which does not work with a read only resource.
Even thought the backend APplication is not readonly and should be able to handle POST requests, we cannot use a RO API client to front this.
Make sure that the GET method is used for any read only API client
$ curl -vvv -k -X GET -H "lum-api-token: f1d2afe9-28b1-4203-b8f4-0e16c980d776" https://LuninateMgmtRO.symcncashell2.luminatesite.com/
> GET / HTTP/1.1
> Host: LuninateMgmtRO.symcncashell2.luminatesite.com
> User-Agent: curl/7.74.0
> Accept: */*
> lum-api-token: f1d2afe9-28b1-4203-b8f4-0e16c980d776
< HTTP/1.1 200 Success
< Date: Wed, 10 Nov 2021 10:17:02 GMT
< Content-Type: text/html
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=31536000
If back end Application must handle POST requests, create a non read only API client on Secure Access Cloud Portal and use that one instead.
Documentation not clear on this requirement and will be updated to highlight this.