New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/url: strict escaping cause issues while dealing with MDN Compliance APIs. #46509
Comments
From the perspective of the server, So I don't think that |
Hi @ZekeLu First of all, thanks for your attention on this.
Thanks |
You do not escape all the parameters. I guess it fails because some of the parameters contain special characters. Please have a test to see whether f := url.Values{
"grant_type": {"password"},
"client_id": {os.Getenv("CLIENTID")},
"client_secret": {os.Getenv("CLIENTSECRET")},
"scope": {os.Getenv("SCOPE")},
"userName": {os.Getenv("USERNAME")},
"password": {os.Getenv("PASSWORD")},
}
// compose the URL like this is dangerous too
resp, err := http.PostForm(os.Getenv("LOGIN_URL")+os.Getenv("TENANTID")+"/oauth2/v2.0/token", f) |
Hi @ZekeLu After replace characters it worked fine. But this http.PostForm method gave same result back from API. I'm not sure this is something related to GRAPH API. But once i replaced the escaped charaters back with unscaped as mentioned above, this http request works without any issu. Thanks |
@buddhika-ranasinghe Thanks for the clarification. It's very likely that this is an issue of the GRAPH API. Can you raise the issue to the GRAPH API owner and report back once you got an answer? |
Thanks a lot for your support on this. Thanks |
Does anyone here believe that this is still a Go bug? |
This comment has been minimized.
This comment has been minimized.
@buddhika-ranasinghe I have set up an Azure account to test this issue, and both password formats work (please note that Please examine your posted form body carefully to find out what's wrong. You can send the request with # post the data in the "form.txt" file in the current directory
curl -i --raw -X POST -d "@form.txt" -H "Content-Type: application/x-www-form-urlencoded" https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token And here is an example
P.S. I noticed that you're using Windows. |
@ZekeLu Thanks for the suggestion. I can't paste the actual password here. But I can confirm that this is a valid password since once after I replace the characters of encoded string using below code, it works without any issue.
I have tried the same password with curl using "--data-urlencode" option, it also working.
|
@buddhika-ranasinghe Sorry that I didn't make it clear in the last comment that I want you to test with the raw form body without any encoding/decoding involved. For example, let's assume that Another approach is to use a tool (such as Fiddler) to capture the HTTP traffic, and to see what's the difference between the one that works and the one that doesn't. |
Hi @ZekeLu Thanks for all the support you have provided on this. I have identified the issue. Thanks for all the support provided by @ZekeLu and @seankhliao @dr2chase Kept ticket open to receive any further feedback. I'll close with a comment by another 7 days since this is sorted. |
Hey @buddhika-ranasinghe, well done! I have one question though, |
I just re validated my code sample for http.PostForm and identified the root cause for the http.PostForm not to work. Thanks a lot again. Cheers !!! |
Closing as this is resolved. |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
I try to utilize Microsoft's Graph API.
What I experienced was the password which I need to get a JWT in below post request fails
https://login.microsoftonline.com/{{TenantID}}/oauth2/v2.0/token
Output :
My experience with postman can get the token without any issue.
But when I do the same in Go Native I face the issue since we need to encode the password to generate x-www-form-urlencode. I believe this happens because Go is strict rfc-3986 compliance. But this could lead to many of the API Services built with JS will fail to communicate with Go applications since they use encodeURIComponent()
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
Posman Screenshot :
What did you expect to see?
What did you see instead?
I used below method to fix the issue.
Expect feedback and if this is accurate, also a fix in code.
Output :
The text was updated successfully, but these errors were encountered: