HTTP basic authentication URL with “@” in password

Question

I'm trying to set up some selenium tests to our staging server using Sauce Labs. It's behind a basic HTTP auth, so theoretically I could set the selenium URL to http://user:[email protected]. However, the password contains a "@", causing all sorts of problems as you can imagine. I tried escaping it with a backslash but that did nothing from what I can tell.

So,

1. is there an alternative way to do HTTP authentication using selenium, i.e., not via the URL. Or,
2. is there a way to use URL-based auth but somehow tell the browser that the "@" is part of the password?

Answer 1

It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ -- this sends the credentials in the standard HTTP "Authorization" header.

It's possible that whomever you were speaking to was thinking of a custom module or code that looked at the query parameters and verified the credentials. This isn't standard HTTP auth, though, it's an application-specific thing.

Also, Passing Basic authentication parameters in URL not recommended

There is an Authorization header field for this purpose check it here: http header list

How to use it is written here: Basic access authentication

There you can also read that although it is still supported by some browsers the suggested solution of adding the Basic authorization credentials in the URL is not recommended.

Read also chapter 4.1 in RFC 2617 - HTTP Authentication for more details on why NOT to use Basic Authentication.

Passing authentication parameters in a query string

When using OAuth or other authentication services you can often also send your access token in a query string instead of in an authorization header, so something like:

GET https://www.example.com/api/v1/users/1?access_token=1234567890abcdefghijklmnopqrstuvwxyzABCD

Answer 2

The two ways to use HTTP authentication in Selenium with passwords which contain special characters like @ are

HTTP Authentication Methods

JavaScript Injection

Using JavaScript injection, you would set the credentials after loading the page instead of including them in the URL; this helps you avoid having problems with special characters inside the password.

from selenium import webdriver

driver = webdriver.Chrome()

driver.get('http://www.stagesite.com')

driver.execute_script("document.getElementById('username').value = 'user';")

driver.execute_script("document.getElementById('password').value = 'your@password';")

driver.execute_script("document.querySelector('form').submit();")

Custom Proxy

Authentication management using a proxy like BrowserMob Proxy can be managed without changing the URL, and it is very helpful for capturing network traffic and managing complex authentication scenarios.

BrowserMob Proxy Setup

Start the proxy server.

Configure Selenium to use the proxy.

BrowserMobProxyServer proxy = new BrowserMobProxyServer();

proxy.start(0);

int port = proxy.getPort();

Proxy seleniumProxy = ClientUtil.createSeleniumProxy(proxy);

DesiredCapabilities capabilities = new DesiredCapabilities();

capabilities.setCapability(CapabilityType.PROXY, seleniumProxy);

WebDriver driver = new ChromeDriver(capabilities);

With such a configuration, you could permit HTTP requests and responses that were accompanied by efficient authentication.

Encoding URLs

If you do accept the URL method of encoding, you should encode the special characters within it carefully. For example, this character: @ should be represented as %40:

url = "http://user:your%[email protected]"

Encoded in this way allows the browser to read them as being part of your password thereby eliminating any eventual complications which may arise by the existence of special characters.