New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipv6 zone identifier mitigation conflicts with URL percentage escape #469
Comments
Given that the RFC6874 states that @alsm - what are your thoughts? |
…ing). This change broke connections to AWS (and potentially other websocket providers) due to the use of parameters. Ref issues eclipse#479 and eclipse#469. Signed-off-by: Matt Brittan <matt@brittan.nz>
Please try @master and let me know if this resolves the issues. |
Yes, the master branch works. I can add the AWS pre-signed URL by Thank you! |
Problem
When connecting to AWS IoT by "MQTT over WebSocket". To authenticate, we need to pre-sign the URL by AWS v4 signer. The signing process basically appends a bunch of query strings to the URL.
One of the query string parameters looks like this:
X-Amz-Credential=keyid%2Fdate%2Fregion%2Fservice%2Faws4_req
It's encoded because the parameter contains slashes. It can be decoded to
X-Amz-Credential=keyid/date/region/service/aws4_req
But the ipv6 zone identifier migration in ClientOptions#AddBroker, coming from bb7927e replaces all
%
in the URL to%25
, which escapes all%
in the URL even though the percentage sign itself is an escape.paho.mqtt.golang/options.go
Line 147 in 72d5136
After the replacement,
X-Amz-Credential=keyid%2Fdate%2Fregion%2Fservice%2Faws4_req
becomesX-Amz-Credential=keyid%252Fdate%252Fregion%252Fservice%252Faws4_req
, which will be decoded toX-Amz-Credential=keyid%2Fdate%2Fregion%2Fservice%2Faws4_req
and the AWS will complain invalid credential.Expected Behavior
url.Parse
from Golang seems to have trouble with the zone identifier in the past. Here's the ticketRFC6874 specifies how the zone identifier in the URI should be handled.
In section 2:
So perhaps the correct way is to remove the zone identifier mitigation and the users that intent to append the zone identifier in the URL should escape them properly before passing to ClientOptions#AddBroker
But I expect doing so will be a breaking change.
The text was updated successfully, but these errors were encountered: