Hello all

We have 2 issues with Magento 2.1.5 REST API that we can not resolve / understand.

1. Unauthorized API access via the integration that uses OAuth-based authentication: known document at http://devdocs.magento.com/guides/v2.1/rest/anonymous-api-security.html says that /rest/V1/customerGroups API is not available in this case (anonymoys access via OAuth-based authentication). This probably was true with previous versions but after the upgrade to 2.1.5, this (/rest/V1/customerGroups) API occurs to work. Has anonymous API security in 2.1.5 been updated so that it permits /rest/V1/customerGroups calls? other?

2. Token-based authentication: we have configured a dedicated admin user for API access from outside. Whatever role resources we configure for this user (even "All"), at least the following APIs are inaccessible:

/rest/default/V1/bundle-products/<SKU>/options/all: Unauthorized

{{"message":"Consumer is not authorized to access %resources","parameters":{"resources":"Magento_Catalog:roducts"}}

/rest/default/V1/products/attributes?search_criteria=: Unauthorized

{"message":"Consumer is not authorized to access %resources","parameters":{"resources":"Magento_Catalog::attributes_attributes"}}

Note that /rest/default/V1/products API is accessible.

In case of OAuth-based authentication, these APIs are available if /Products and /Stores/Attributes resources are checked in integration resourses

Is this a feature or is there something special we should configure / permit to use these APIs?

Thanks