We tracked this down to the file vendor/magento/module-webapi/Model/AbstractSchemaGenerator.php and then the getListOfServices() method: This method lists all the available SOAP methods when requesting this from a SOAP client. Within this method, there are two foreach loops. In the second loop, the check $this->authorization->isAllowed is used to check whether access to this Web API method is allowed, before allowing the method to be listed in the WSDL listing.

This seems incorrect. The WSDL listing should list all available methods at all times, while the ACL rules should be used to prevent usage of the actual methods. So it seems the WSDL listing is broken intentionally because of a false (sorry for the harsh word) security assumption. To me, and @tinxit it makes no sense to hide WSDL methods from the WSDL listing. Obviously their usage should be limited. But hiding their actual name breaks numerous SOAP applications.

Commenting out the if check fixes things.

Pull request is now also added: https://github.com/magento/magento2/pull/5501

Many of the services have been protected for security reasons. Please review the updated documentation here: http://devdocs.magento.com/guides/v2.1/get-started/soap/soap-web-api-calls.html

_See the Authentication section_

The WSDL should always be available only the real SOAP call should be secured. Check the link you gave, WSDL is public information.

As @mbrinton01 mentioned, this was done for security reasons. Here is the correct link to the documentation describing what has become restricted and how you can enable anonymous access again if necessary.

@paliarush tnixit is right. The WSDL NEEDS to be available anonymously as it's used by software to generate the classes to write software against. By hiding it against authentication we cannot generate the objects in the first instance and it wont comply with the standard. The SOAP API _calls_ need to be secured by authentication.

Can we please reopen this and get it fixed?

i was building an integration on 2.0.2 using soap c#, now i just updated to 2.1.2 all the soap modules are gone, i've enabled the allow anonymous web api thing,

i got

• integrationAdminTokenServiceV1
• storeStoreRepositoryV1
• catalogInventoryStockRegistryV1
• catalogProductRepositoryV1

still missing

• customerCustomerRepositoryV1
• salesOrderRepositoryV1
• salesOrderManagementV1
• salesInvoiceRepositoryV1
• salesInvoiceCommentRepositoryV1
• salesCreditmemoRepositoryV1
• salesCreditmemoCommentRepositoryV1

this needs to be addressed!

how would you expect anyone to do a full soap integration without the full wsdl structure???

@manhao-chen Until, or if, the fix this you can modify the source code to comment out the security in the Mage 2.1x source code so you can build the intermediate objects and create integration software via WSDL.

@MarkB42 Where do we comment out the security?

@manhao-chen I documented it on the Magento community forums for reference. Once you have built the objects you want to use you can put the code back to standard and it will continue accessing the obscured WSDL SOAP methods.

https://community.magento.com/t5/Programming-Questions/Magento-2-C-APIs-SOAP-problem/m-p/49677#M1206

if we dont comment permission and leave magento code as it is,

How do we access magento wsdl restricted services like below (using browser url or curl )?

soap/default?wsdl&services=salesOrderRepositoryV1

Do we have to use integrations or user level authentications?

Thanks

@nagrgk Simply put you have access to a VERY limited set of APIs if you enable the 'Allow Anonymous Access' in the store setup. Alternatively the best fix so far is use Magento 1.9.

Thank you all for your comments. Two points:

1. This is a bug, so I have reopened the issue. It should be possible to access the WSDL itself with anonymous access
2. Before we are able to fix the bug, if you use same authorization header you would use for a SOAP request, you should be able to access the WSDL

Tracking bug internally under MAGETWO-55200

Hi Mark, great finally :-) ! Thanks and I appreciate your effort to dive into this!

@mbrinton01 Thanks for re-opening this bug. Much appreciated.

Is there any solution?

6 months later and this critical bug is still present in Magento 2.1.3 Community

@tinxit @Tapin1 is this issue still critical given the work-around given above?

@misha-kotov Sadly the workaround does not work. The services are not showing in the WSDL and not working when you post to them directly. This is the case with and without an Authorization header. We have downgraded to 2.0.11 for now.

Just tested in 2.1.4. Still broken....

@kimpellikaan I cannot reproduce in 2.1.4. Do you have varnish enabled by any chance? There's an issue where If you request WSDL as anonymous first, then immediately after try with an Auth header, it will return the cached WSDL from your previous request. For me, it's caching it for a minute or so, but might depend on your settings.
If I turn off varnish, I get different WSDL responses with and without the authorization header.

I confirm, I had the same problem in version 2.1.0 and try several solutions listed here. Several services remain unavailable. So I proceeded to an update to 2.1.4 and still have issues, but most now seem to work. I have no Varnish and only Zend OPcache activated.

@mathieuderoy83 if you'd like us to look into your issues, please be more specific.

Just like @kimpellikaan, few services not appears on wsld list and not seem to be usable after fast testing over customerCustomerRepositoryV1 on direct post call in 2.1.4

@misha-kotov go to this URL: http:///soap/default?wsdl_list=1. Then you should see a list of services equal to this list: http://devdocs.magento.com/guides/v2.1/soap/bk-soap.html.

in Magento 2.1.5 this seems to be solved!

I had the same problem in version 2.1.5, so is there anyone else could help to fix this issue? My project is totally blocked by this issue. Thanks in advance.

Hey guys, this has been resolved in later versions. This is resolved in magento2.2 versions.

thanks

I haven't seen any information about Magento 2.2. Could you please provide more information or links on new version? Thanks.

I think fix has been added in later versions. Sorry, we use enterprise versions and I dont know if they have added fix in community versions yet.

I did not see any release note on Magento 2.2 for EE or ECE.
Has 2.2 been released? or will it be released soon? Thanks.

they released 2.6 already

Are you talking 2.1.6 version?

Oh yes, it was my mistake. It's 2.1.6 already and we found few of missing in earlier versions. Please let the us know what you not seeing. I can Check my side and let u know if available. Thanks

It looks like MAGETWO-55200 recently landed on the 2.1-develop branch. That most likely means this issue will be resolved in the next minor 2.1.x release.
Reference: https://github.com/magento/magento2/commit/cedeca02fdffd3bdde66a6202e8287b64b2da97c

That's correct. The ticket for the 2.2 branch is MAGETWO-66882, which has also been completed and merged into develop.

@misha-kotov, the cedeca0 commit seems to be scheduled for 2.1.8. Could you please keep the issue open until the fix is _actually released?_