URLs use percent-encoding aka URL encoding.
@ sign is %40 in this encoding.
% curl -k -X POST https://user1:mypass8%[email protected]/job/build
Or alternatively with -u / --user parameter:
% curl -u user1:mypass8@ -k -X POST https://myshop.com/job/build
RFC 3986 section 3.2.1 states:
The userinfo subcomponent may consist of a user name and, optionally, scheme-specific information about how to gain authorization to access the resource. The user information, if present, is followed by a commercial at-sign ("@") that delimits it from the host.
userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
Use of the format "user:password" in the userinfo field is deprecated. Applications should not render as clear text any data after the first colon (":") character found within a userinfo subcomponent unless the data after the colon is the empty string (indicating no password). Applications may choose to ignore or reject such data when it is received as part of a reference and should reject the storage of such data in unencrypted form. The passing of authentication information in clear text has proven to be a security risk in almost every case where it has been used.
Applications that render a URI for the sake of user feedback, such as in graphical hypertext browsing, should render userinfo in a way that is distinguished from the rest of a URI, when feasible. Such rendering will assist the user in cases where the userinfo has been misleadingly crafted to look like a trusted domain name (Section 7.6).
Tested with this tiny Go application:
package main import ( "log" "net/http" ) func auth(fn http.HandlerFunc) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { user, pass, _ := r.BasicAuth() if !check(user, pass) { http.Error(w, `Unauthorized.`, 401) return } fn(w, r) } } func check(user string, pass string) bool { if user == `user` && pass == `pass@` { return true } return false } func index(writer http.ResponseWriter, request *http.Request) { writer.Write([]byte(`hello, world!`)) } func main() { http.HandleFunc("/", auth(index)) if err := http.ListenAndServe(":8080", nil); err != nil { log.Fatal(err) } }
Run server:
% go run .
Test:
% curl -k -X POST http://user:pass%[email protected]:8080/ hello, world! % curl -k -X POST http://user:[email protected]:8080/ Unauthorized. % curl --version curl 7.72.0 (x86_64-pc-linux-gnu) libcurl/7.72.0 OpenSSL/1.1.1g zlib/1.2.11 zstd/1.4.5 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.41.0 Release-Date: 2020-08-19 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
--user username:password? This is used as an example at jenkins.io/doc/book/using/remote-access-api