Replies: 1 comment
-
|
Hi @b-shep !
Well... In Administration API section everything is described! Ask us once again if something is unclear.
Ok. Sometimes it happens when undocumented feature is uncovered by you. This is bad for sure. Personally I found 3 undocumented features in Ocelot during last 6 months. It happened when PR is merged without docs, so docs weren't updated. As a project coordinator, I require writing docs for all new features, or feature updating possibly requires docs updating too. This is a part of our current development process.
Those requests were unauthorized! You had to get access JWT token first to communicate to Ocelot Admin API.
There is no risk because in order to communicate to Administration API endpoints you have to create auth JWT token by internal or external Identity Server.
Hope it helps! |
Beta Was this translation helpful? Give feedback.
-
Follow up on issue #989. I'm curious as to what the purpose is of the /configuration and /outputcache/{region} endpoints?
The existence of these endpoints wasn't even realized by my team until they showed up in swagger and there's no mention of them in any of the documentation I can find. They only seem to return 404, but still curious about insight onto why they exist.
Specifically my concern is that given Ocelot is typically public facing, doesn't having exposed endpoints (especially for global configuration and routes) represent a security risk?
Thanks in advance for any help/clarification!
Beta Was this translation helpful? Give feedback.
All reactions