Overview of the Issue

According to the consul api docs, when updating an ACL token, the AccessorID needs to be in the URL but optionally in the body:

AccessorID (string: "") - Specifies the accessor ID of the token being updated. This field is required in the URL path but may also be specified in the JSON body. If specified in both places then they must be an exact match. This field is immutable. If not present in the body and only in the URL then it will be filled in by Consul.

However, it seems like since version 1.15.x, this is no longer the case. The AccessorID needs to be in both the URL and request body.

Reproduction Steps

spin up a consul cluster (1.15.3 in my case) and make the API call:

Request:

PUT /v1/acl/token/00000000-0000-0000-0000-000000000002 HTTP/1.1
X-Consul-Token: <omitted>

{
    "Description": "test123"
}

Response:

HTTP/1.1 400 Bad Request

Token Accessor ID in URL and payload do not match

if we include the Accessor ID in request payload, then it works as expected:

PUT /v1/acl/token/00000000-0000-0000-0000-000000000002 HTTP/1.1
X-Consul-Token: <omitted>

{
    "AccessorID": "00000000-0000-0000-0000-000000000002",
    "Description": "test123"
}


HTTP/1.1 200 OK
{
    "AccessorID": "00000000-0000-0000-0000-000000000002",
    "CreateIndex": 6,
    "CreateTime": "2023-06-13T20:15:56.173566008Z",
    "Description": "test123",
    "Hash": "WDHbGc3bUV3KzY4z5ZAMOqUOjUJI4t1d9HwjPQj/6g8=",
    "Local": false,
    "ModifyIndex": 5967,
    "SecretID": "anonymous"
}

Consul info for both Client and Server

I have tried 1.15.3 and some other 1.15.x versions, and main (1.16.x), all with same result. The web UI is also affected, as it does not include AccessorID in the request body. It means that the web UI cannot currently update an existing ACL token's policies, roles, or description.

The consul cli does NOT have this issue, as it appears to encode the token object into the request body.