[OpenID] Scope separator encoding: "+" vs "%20"
Andreas Faafeng
andreas at faafeng.com
Mon Nov 25 09:22:48 UTC 2024
Hi all,
I am new to OpenID so please forgive my ignorance. I find myself in a
situation where two parties cannot agree on which of the following is
the correct interpretation of the OpenID specification with regards to
scope separator encoding:
A. scope=openid+profile+email
B. scope=openid%20profile%20email
The specification [1] states that "Query String Serialization" shall
follow application/x-www-form-urlencoded format according to (the now
out of date 2018, new link below) "HTML 4.01 Specification" [2] which in
turn refers to [3], [4] which says:
"URLSearchParams objects will percent-encode anything in the
application/x-www-form-urlencoded percent-encode set, and will encode
U+0020 SPACE as U+002B (+)."
Am I wrong to then assume that the above option A is indeed the correct
interpretation of the OpenID specification such that its example [5] is
misleading or even incorrect? Can or shall both be accepted?
Thank you in advance for your time and effort.
[1]
https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization
[2]
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data
[3] https://url.spec.whatwg.org/#concept-urlencoded
[4] https://url.spec.whatwg.org/#example-constructing-urlsearchparams
[5] https://openid.net/specs/openid-connect-core-1_0.html#codeExample
--
Best regards
Andreas
More information about the general
mailing list