A customer pointed that API Key processing in PAM escapes a forward slash with a backslash. The customer indicated escaping of forward slash seems to violate the JSON specification. The customer's application had issues when a password that escaped forward slash was returned. This document discusses this issue and concludes that PAM's escaping of forward slash is not a violation of the JSON spec. In addition, a resolution solution is shared.
Release : All supported versions of PAM
Request For Information
Broadcom Engineering completed its research into this issue and concluded the following.
1. JSON spec does not mandate that forward slash not be escaped. The spec actually states that some fields may be escaped and forward slash is one of them. Hence while the JSON spec does not require forward slashes to be escaped, it does permit it.
2. Google search shows that many JSON parsers also escape the forward slash. For example, PHP's native json_encode function escapes forward slashes by default.
See refer to discussion at https://stackoverflow.com/questions/1580647/json-why-are-forward-slashes-escaped
3. As shown below (highlighted in yellow) you may exclude the forward slash using a Password Composition Policy with such target accounts.