From andreas at faafeng.com  Mon Nov 25 09:22:48 2024
From: andreas at faafeng.com (Andreas Faafeng)
Date: Mon, 25 Nov 2024 09:22:48 +0000
Subject: [OpenID] Scope separator encoding: "+" vs "%20"
Message-ID: <8b4d9d30839fcc0e2310aecb1162a32d@faafeng.com>

Hi all,

I am new to OpenID so please forgive my ignorance.  I find myself in a 
situation where two parties cannot agree on which of the following is 
the correct interpretation of the OpenID specification with regards to 
scope separator encoding:

A. scope=openid+profile+email
B. scope=openid%20profile%20email

The specification [1] states that "Query String Serialization" shall 
follow application/x-www-form-urlencoded format according to (the now 
out of date 2018, new link below) "HTML 4.01 Specification" [2] which in 
turn refers to [3], [4] which says:

   "URLSearchParams objects will percent-encode anything in the 
application/x-www-form-urlencoded percent-encode set, and will encode 
U+0020 SPACE as U+002B (+)."

Am I wrong to then assume that the above option A is indeed the correct 
interpretation of the OpenID specification such that its example [5] is 
misleading or even incorrect?  Can or shall both be accepted?

Thank you in advance for your time and effort.

[1] 
https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization
[2] 
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data
[3] https://url.spec.whatwg.org/#concept-urlencoded
[4] https://url.spec.whatwg.org/#example-constructing-urlsearchparams
[5] https://openid.net/specs/openid-connect-core-1_0.html#codeExample

-- 
Best regards
Andreas

From joseph at authlete.com  Mon Nov 25 12:13:12 2024
From: joseph at authlete.com (Joseph Heenan)
Date: Mon, 25 Nov 2024 12:13:12 +0000
Subject: [OpenID] Scope separator encoding: "+" vs "%20"
In-Reply-To: <8b4d9d30839fcc0e2310aecb1162a32d@faafeng.com>
References: <8b4d9d30839fcc0e2310aecb1162a32d@faafeng.com>
Message-ID: <4741A153-7A2E-4192-AF61-C66F6638F41F@authlete.com>

Hi Andreas

This has come up occasionally over the years - there is some background here: https://gitlab.com/openid/conformance-suite/-/issues/1165

The short answer however is that authorization servers should accept both forms.

Thanks

Joseph


> On 25 Nov 2024, at 09:22, Andreas Faafeng <andreas at faafeng.com> wrote:
> 
> Hi all,
> 
> I am new to OpenID so please forgive my ignorance.  I find myself in a situation where two parties cannot agree on which of the following is the correct interpretation of the OpenID specification with regards to scope separator encoding:
> 
> A. scope=openid+profile+email
> B. scope=openid%20profile%20email
> 
> The specification [1] states that "Query String Serialization" shall follow application/x-www-form-urlencoded format according to (the now out of date 2018, new link below) "HTML 4.01 Specification" [2] which in turn refers to [3], [4] which says:
> 
>  "URLSearchParams objects will percent-encode anything in the application/x-www-form-urlencoded percent-encode set, and will encode U+0020 SPACE as U+002B (+)."
> 
> Am I wrong to then assume that the above option A is indeed the correct interpretation of the OpenID specification such that its example [5] is misleading or even incorrect?  Can or shall both be accepted?
> 
> Thank you in advance for your time and effort.
> 
> [1] https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization
> [2] https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data
> [3] https://url.spec.whatwg.org/#concept-urlencoded
> [4] https://url.spec.whatwg.org/#example-constructing-urlsearchparams
> [5] https://openid.net/specs/openid-connect-core-1_0.html#codeExample
> 
> -- 
> Best regards
> Andreas
> _______________________________________________
> general mailing list
> general at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20241125/95d17436/attachment.htm>

From dick.hardt at gmail.com  Mon Nov 25 12:44:45 2024
From: dick.hardt at gmail.com (Dick Hardt)
Date: Mon, 25 Nov 2024 12:44:45 +0000
Subject: [OpenID] Scope separator encoding: "+" vs "%20"
In-Reply-To: <4741A153-7A2E-4192-AF61-C66F6638F41F@authlete.com>
References: <8b4d9d30839fcc0e2310aecb1162a32d@faafeng.com>
 <4741A153-7A2E-4192-AF61-C66F6638F41F@authlete.com>
Message-ID: <CAD9ie-snE1E3qQSJ=CxHVF1kFiEehJ5-UVoZ5b+Do+HWBKtQbw@mail.gmail.com>

Both are valid URL string encodings for a space

The spec says space delimited

On Mon, Nov 25, 2024 at 12:13?PM Joseph Heenan <joseph at authlete.com> wrote:

> Hi Andreas
>
> This has come up occasionally over the years - there is some background
> here: https://gitlab.com/openid/conformance-suite/-/issues/1165
>
> The short answer however is that authorization servers should accept both
> forms.
>
> Thanks
>
> Joseph
>
>
> On 25 Nov 2024, at 09:22, Andreas Faafeng <andreas at faafeng.com> wrote:
>
> Hi all,
>
> I am new to OpenID so please forgive my ignorance.  I find myself in a
> situation where two parties cannot agree on which of the following is the
> correct interpretation of the OpenID specification with regards to scope
> separator encoding:
>
> A. scope=openid+profile+email
> B. scope=openid%20profile%20email
>
> The specification [1] states that "Query String Serialization" shall
> follow application/x-www-form-urlencoded format according to (the now out
> of date 2018, new link below) "HTML 4.01 Specification" [2] which in turn
> refers to [3], [4] which says:
>
>  "URLSearchParams objects will percent-encode anything in the
> application/x-www-form-urlencoded percent-encode set, and will encode
> U+0020 SPACE as U+002B (+)."
>
> Am I wrong to then assume that the above option A is indeed the correct
> interpretation of the OpenID specification such that its example [5] is
> misleading or even incorrect?  Can or shall both be accepted?
>
> Thank you in advance for your time and effort.
>
> [1]
> https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization
> [2]
> https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data
> [3] https://url.spec.whatwg.org/#concept-urlencoded
> [4] https://url.spec.whatwg.org/#example-constructing-urlsearchparams
> [5] https://openid.net/specs/openid-connect-core-1_0.html#codeExample
>
> --
> Best regards
> Andreas
> _______________________________________________
> general mailing list
> general at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20241125/b7628865/attachment.htm>

From andreas at faafeng.com  Mon Nov 25 19:07:28 2024
From: andreas at faafeng.com (Andreas Faafeng)
Date: Mon, 25 Nov 2024 20:07:28 +0100
Subject: [OpenID] Scope separator encoding: "+" vs "%20"
In-Reply-To: <CAD9ie-snE1E3qQSJ=CxHVF1kFiEehJ5-UVoZ5b+Do+HWBKtQbw@mail.gmail.com>
References: <8b4d9d30839fcc0e2310aecb1162a32d@faafeng.com>
 <4741A153-7A2E-4192-AF61-C66F6638F41F@authlete.com>
 <CAD9ie-snE1E3qQSJ=CxHVF1kFiEehJ5-UVoZ5b+Do+HWBKtQbw@mail.gmail.com>
Message-ID: <87d4fe65abb10b076da0c8d6e9f2f52f@faafeng.com>

Gentlemen, thank you both for your prompt and insightful responses.

-- 
Best regards
Andreas

On 2024-11-25 13:44, Dick Hardt wrote:

> Both are valid URL string encodings for a space
[..]

> On Mon, Nov 25, 2024 at 12:13?PM Joseph Heenan <joseph at authlete.com> 
> wrote:
> [..]
> The short answer however is that authorization servers should accept 
> both forms.