Anypoint Platform Design Center RAML client_id not being enforced

498 views Asked by At

When I try this RAML in the mocking service, I get a 200 success response back even when I don't include a client_id and client_secret. Is that normal? Shouldn't I get a 401 response if I leave the headers empty, as I've defined them to be required?

#%RAML 1.0
title: Test

description: testing cloudhub

traits:
  client-id-required:
    headers:
      client_id:
        type: string
        required: true
      client_secret:
        type: string
        required: true
    responses:
      401:
        description: Unauthorized or invalid client application credentials
      500:
        description: Bad response from authorization server, or WSDL SOAP Fault error

/something:
  is: [client-id-required]
  get:
    responses:
      200:
        body:
          application/json:
            example:
              {
                "hello" : "goodbye"
                  }

1

There are 1 answers

1
aled On BEST ANSWER

The Mocking Service should validate the missing headers. It is not clear why it is not. But I don't see any reason for it to respond with a 401. It is mocking a response, not trying to authenticate. It doesn't really implement the API after all. There is no reason for it to assume these headers are for authentication, just that they are required headers for your API.

Have you defined the headers but with an empty value? That may match the definition of required so they pass validation.