[IMPLEMENTED] Fallback character for app_name:client_id seperation

I’m experimenting with Squidex again, to see if I can use it through the KrakenD API Gateway.
I’ve found an odd thing when I tried to setup a “read only” scenario, where KrakenD receives the requests without any token and forwards them to Squidex with a readonly token. (Midway gets the token from Squidex/IdentityServer)
The Go implementation of url encoding doesn’t allow : characters in the url components.
So if I have a clientId: app_name:readonly
KrakenD forwards: app_name%3Areadonly.

In the golang net/url package the implementation of url escaping is:
In the code they are referring to some RFC stuff, and based on that I’m assuming that the : is not allowed in the query string. Or the golang implementation is just wrong?

In the light of the above shouldn’t Squidex support a fallback character instead of : in the client_id?

What would be a suitable character?

I would like to void - and _. Can I just add | for example?

If you can test it just add your character of choice: https://github.com/Squidex/squidex/blob/b5b0a362a18a6165552afcda5541986eba8cbbe3/src/Squidex/Areas/IdentityServer/Config/LazyClientStore.cs#L46

Can you not just make a post request instead? I am not sure if I understand the flow.

It is already making a POST request according to the source code:

The flow is the following:
A simple javascript makes an http request to KrakenD (without any Authentication header or token):
KrakenD gets the token from Squidex for a client which only has read permissions via client credentials flow (confidental), then makes a request to Squidex with the token, then returns the response from Squidex to the client.

You can try the characters here:
The allowed special characters are specified here in golang’s implementation:

Just to give you more context: Golang comes with oauth2 support, it has a built-in lib for it. You don’t need to download any extra dependency, you can import the golang.org/x/oauth2/clientcredentials package and just use it. If you would write now a golang app, which would have to interact with squidex as client, it would have trouble getting a token because of the built-in oauth2 client of golang. You would be forced to write your own implementation.

I’ll try to test some characters tomorrow.

Hi, I have added the ~ for you.

Thanks, but that’s not the only place. :smiley:

There is another one here.

Thx, then I should make it the only place :wink: