Skip to content

Fix OAuth1 double-encoding of RFC 3986 special characters in URL paths #2341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: dev
Choose a base branch
from
Draft

Fix OAuth1 double-encoding of RFC 3986 special characters in URL paths #2341

Copilot wants to merge 3 commits into from
+84 −1

Conversation

Copy link
Contributor

Copilot AI commented Jan 12, 2026
edited
Loading

OAuth1 signature calculation was double-encoding special characters (!, *, ', (, )) in URL paths, causing 401 authentication failures. When URL segments containing these characters were added via AddUrlSegment(), they were encoded by Uri.EscapeDataString() during URL construction, then encoded again during signature base generation.

Changes

  • OAuthTools.ConstructRequestUrl: Decode url.AbsolutePath with Uri.UnescapeDataString() before returning. This prevents double-encoding since UrlEncodeRelaxed will encode the decoded path once correctly.

  • Tests: Added coverage for RFC 3986 special characters in both direct paths and URL segment parameters to verify single encoding.

Example

var client = new RestClient("https://api.example.com");
var request = new RestRequest("resource/{id}", Method.Get);
request.AddUrlSegment("id", "item!123");  // Previously: "item%2521123" in signature (double-encoded)
                                          // Now: "item%21123" in signature (correct)

var authenticator = OAuth1Authenticator.ForProtectedResource(
    consumerKey, consumerSecret, accessToken, accessTokenSecret
);

The fix applies to all RFC 3986 special characters: !, *, ', (, ).

Original prompt

This section details on the original issue you should resolve

<issue_title>OAuth1 - Path Segments with Special Char "!" - Results in Auth Error</issue_title>
<issue_description>A clear and concise description of what the bug is.

When using the reserved character '!', in a path segment, it returns a 401 unauthorized error.
Example:
https://.suitetalk.api.netsuite.com/services/rest/record/v1/purchaseOrder//**!**transform/vendorBill

Note: this is similar to Issue#2126. However, in that case, they were using special characters in the query parameters. However, here we are using reserved characters in the URL path segments.

To Reproduce
Note that when using postman, this end point works: https://.suitetalk.api.netsuite.com/services/rest/record/v1/purchaseOrder/30356/**!**transform/vendorBill

In C#, I am using the RestSharp library to handle authentication.
Note that we are already successfully using RestSharp to call many different NetSuite endpoints using OAuth1 authentication.
However, for this particular end point, we believe the "!" in the URL may not be handled properly.
This seems to be the only difference in this particular case.

This is the code to reproduce the issue:

private static RestRequest GenerateRestRequest(OAuthCredentials oAuthCredentials, string urlPathSegments, Method requestMethodType)
{
    var authenticator = OAuth1Authenticator.ForAccessToken(
        oAuthCredentials.ConsumerKey,
        oAuthCredentials.ConsumerSecret,
        oAuthCredentials.TokenID,
        oAuthCredentials.TokenSecret,
        OAuthSignatureMethod.HmacSha256
        );

    authenticator.Realm = oAuthCredentials.AccountID;

    RestRequest request = new RestRequest(Url.Combine(oAuthCredentials.CompanyURL, urlPathSegments), requestMethodType)
    {
        Authenticator = authenticator
    };

    return request;
}

public static async Task<RestResponse> NetSuiteTransformPOToVendorBill(this RestClient restClient, OAuthCredentials oAuthCredentials, NetSuiteVendorBill netSuitePOToVendorBillTransform, string NetSuitePOInternalID)
{
    string segmentStr = "{segment}";
    RestRequest request = GenerateRestRequest(oAuthCredentials, $"services/rest/record/v1/purchaseOrder/{NetSuitePOInternalID}/{segmentStr}/vendorBill", Method.Post);

    // I believe the "!" mark in this segment may not be handled correctly when generating the nonce or signature
    request.AddUrlSegment("segment", "!transform", false); 
    // Note: I have tried setting encoding to "true" as well
    // request.AddUrlSegment("segment", "!transform", true);

    request.AddHeader("Content-Type", "application/json");
    request.AddHeader("prefer", "transient");
    string serializedNetSuiteVendorBill = JsonConvert.SerializeObject(netSuitePOToVendorBillTransform);

    request.AddJsonBody(serializedNetSuiteVendorBill);

    return await restClient.ExecuteAsync(request);
}

Expected behavior
Returns Status: 204 No Content in Postman

Stack trace
error="token_rejected",
error_description="Invalid login attempt."
"title":"Unauthorized"
"status":401

Desktop (please complete the following information):

  • OS: Windows 11 Pro
  • .NET version .NET 6.0
  • Version RestSharp 110.2.0

Additional context

  • It works through postman
  • A NetSuite consultant we work has custom code that can hit this end point successfully (i.e. they don't use any open source libraries)
    </issue_description>

Comments on the Issue (you are @copilot in this section)

@alexeyzimarev There was a change released in v111 to handle special characters differently. However, the test that checks the encoding according to RFC 3986 is failing now.

It would be good to add expected and actual signature strings in OAuth1 issues, otherwise it turns to a guess game.</comment_new>
<comment_new>@alexeyzimarev
You don't have to provide real credentials. If you look at the tests I added, I used fixed values from Twitter OAuth1 docs that specifies values for everything, then it shows how the signature base will look like, and what the resulting signature will be. That page in their docs allowed me to create a reliable set of tests to verify that the code generates the correct signature base, and the actual signature is correct.

Could you please write a comment if there's any remaining issue now with the latest version? If yes, it'd be nice to have a repro code. </comment_new>

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@alexeyzimarev
Fix OAuth1 double-encoding issue for special characters in path segments
ca233ce 
Co-authored-by: alexeyzimarev <2821205+alexeyzimarev@users.noreply.github.com>
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 12, 2026
edited
Loading

Deploying restsharp with  Cloudflare Pages  Cloudflare Pages

Latest commit: fa6c0d4
Status: ✅  Deploy successful!
Preview URL: https://03763a0e.restsharp.pages.dev
Branch Preview URL: https://copilot-fix-oauth1-auth-erro.restsharp.pages.dev

View logs

@alexeyzimarev
Add detailed security comment for Uri.UnescapeDataString usage
fa6c0d4 
Co-authored-by: alexeyzimarev <2821205+alexeyzimarev@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix OAuth1 auth error with path segments containing special character Fix OAuth1 double-encoding of RFC 3986 special characters in URL paths Jan 12, 2026
Copilot AI requested a review from alexeyzimarev January 12, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexeyzimarev alexeyzimarev Awaiting requested review from alexeyzimarev

Assignees

@alexeyzimarev alexeyzimarev

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth1 - Path Segments with Special Char "!" - Results in Auth Error

2 participants

@alexeyzimarev