KrakenD rejects URL path parameters containing special characters (#) with "encoded url params" error #1037
Description
KrakenD rejects URL path parameters containing special characters with "encoded url params" error
Environment
- KrakenD Version: [Please specify your version]
- OS: [Please specify]
- Deployment: [Docker/Kubernetes/Standalone - please specify]
- Go Plugin: Custom HTTP server plugin
Problem Description
KrakenD is rejecting valid HTTP requests that contain special characters (#, @) in path parameters, returning a 400 error with the message "encoded url params". This occurs even when the URLs are properly formatted and encoded according to RFC 3986.
Failing Request Example
GET /users/dummy_company.com#EXT#@company.onmicrosoft.com
<notice the #EXT#>
Expected Behavior
The request should be routed to the configured backend service with the user_id parameter properly handled, as this is a valid URL path segment.
Actual Behavior
KrakenD returns HTTP 400 with "encoded url params" error before the request reaches the configured backend or Go plugin handlers.
Configuration
Endpoint Configuration
{
"endpoint": "/users/{user_id}",
"method": "GET",
"timeout": "180s",
"output_encoding": "no-op",
"input_query_strings": [
"metadata",
"links"
],
"backend": [
{
"url_pattern": "/users/{user_id}",
"method": "GET",
"encoding": "no-op",
"host": [
"http://xxxxxx:8088"
]
}
]
}KrakenD Main Configuration
{
"$schema": "https://www.krakend.io/schema/v3.json",
"version": 3,
"timeout": "30000ms",
"cache_ttl": "300s",
"port": "3000",
"name": "bxpp",
"disable_keep_alives": true,
"plugin": {
"pattern": ".so",
"folder": "/plugins/"
},
"extra_config": {
"plugin/http-server": {
"name": ["<our authentication plugin>"]
}
}
}Investigation Results
Through extensive debugging with custom Go plugin logging, we determined:
1. Timing of Error
- Error occurs after custom handling in our plugin.
- Error happens during KrakenD's internal routing/endpoint matching phase
- GIN logs show 400 status with the problematic URL
2. URL Encoding Tests
I tested multiple encoding approaches:
Original URL:
/users/dineshts_company.com#EXT#@company.onmicrosoft.com
URL Encoded:
/v1/management/users/dineshts_company.com%23EXT%23%40company.onmicrosoft.com
Result: Both variations fail with the same 400 "encoded url params" error
3. Workaround Confirmation
When I bypass KrakenD's routing entirely in our Go plugin and handle the request directly, the error disappears, confirming the issue is in KrakenD's parameter validation.
Logs
[GIN] 2025/09/24 - 08:27:07 | 400 | 566.083µs | 142.251.223.243 | GET "/users/dineshts_company.com#EXT#@company.onmicrosoft.com"
Use Case Context
This issue affects Microsoft Azure AD B2B guest user scenarios where user identities follow the format:
username_domain.com#EXT#@tenant.onmicrosoft.com
This is a standard Microsoft identity format that cannot be easily changed, making it a blocking issue for Azure AD integration.
Questions
- Parameter Validation: Does KrakenD have built-in validation rules for path parameters that reject certain characters?
- Configuration Options: Are there settings to disable or customize path parameter validation?
- RFC Compliance: Should KrakenD accept properly escaped special characters in path parameters per RFC 3986?
- Error Location: Where in KrakenD's codebase does the "encoded url params" error message originate?
Potential Solutions
I'd appreciate guidance on:
- Configuration options to allow special characters in path parameters
- Alternative endpoint patterns that might work around this limitation
- Whether this is intended behavior or a bug