[IMPLEMENTED] Fallback character for app_name:client_id seperation

pushrbx · November 10, 2018, 7:17pm

I’m experimenting with Squidex again, to see if I can use it through the KrakenD API Gateway.
I’ve found an odd thing when I tried to setup a “read only” scenario, where KrakenD receives the requests without any token and forwards them to Squidex with a readonly token. (Midway gets the token from Squidex/IdentityServer)
The Go implementation of url encoding doesn’t allow : characters in the url components.
So if I have a clientId: app_name:readonly
KrakenD forwards: app_name%3Areadonly.

In the golang net/url package the implementation of url escaping is:
https://golang.org/src/net/url/url.go?s=25313:25344#L150
In the code they are referring to some RFC stuff, and based on that I’m assuming that the : is not allowed in the query string. Or the golang implementation is just wrong?

In the light of the above shouldn’t Squidex support a fallback character instead of : in the client_id?

Sebastian · November 10, 2018, 8:49pm

What would be a suitable character?

I would like to void - and _. Can I just add | for example?

If you can test it just add your character of choice: https://github.com/Squidex/squidex/blob/b5b0a362a18a6165552afcda5541986eba8cbbe3/src/Squidex/Areas/IdentityServer/Config/LazyClientStore.cs#L46

Can you not just make a post request instead? I am not sure if I understand the flow.

pushrbx · November 10, 2018, 10:49pm

It is already making a POST request according to the source code:

github.com

golang/oauth2/blob/master/internal/token.go#L193


func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string, v url.Values) (*Token, error) {
	bustedAuth := !providerAuthHeaderWorks(tokenURL)
	if bustedAuth {
		if clientID != "" {
			v.Set("client_id", clientID)
		}
		if clientSecret != "" {
			v.Set("client_secret", clientSecret)
		}
	}
	req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))
	if err != nil {
		return nil, err
	}
	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
	if !bustedAuth {
		req.SetBasicAuth(url.QueryEscape(clientID), url.QueryEscape(clientSecret))
	}
	r, err := ctxhttp.Do(ctx, ContextClient(ctx), req)
	if err != nil {
		return nil, err

The flow is the following:
A simple javascript makes an http request to KrakenD (without any Authentication header or token):
http://localhost:3456/api/content/testapp/testschema
KrakenD gets the token from Squidex for a client which only has read permissions via client credentials flow (confidental), then makes a request to Squidex with the token, then returns the response from Squidex to the client.

You can try the characters here:
https://play.golang.org/p/HfrE0DsvUsg
The allowed special characters are specified here in golang’s implementation:
https://golang.org/src/net/url/url.go?s=25313:25344#L124

Just to give you more context: Golang comes with oauth2 support, it has a built-in lib for it. You don’t need to download any extra dependency, you can import the golang.org/x/oauth2/clientcredentials package and just use it. If you would write now a golang app, which would have to interact with squidex as client, it would have trouble getting a token because of the built-in oauth2 client of golang. You would be forced to write your own implementation.

I’ll try to test some characters tomorrow.

Sebastian · November 11, 2018, 9:52am

Hi, I have added the ~ for you.

pushrbx · November 11, 2018, 11:38am

Thanks, but that’s not the only place.
https://github.com/Squidex/squidex/blob/master/src/Squidex/Pipeline/Extensions.cs#L25

There is another one here.

Sebastian · November 11, 2018, 12:26pm

Thx, then I should make it the only place

Sebastian · November 11, 2018, 3:30pm