[OpenID] Scope separator encoding: "+" vs "%20"

Joseph Heenan joseph at authlete.com
Mon Nov 25 12:13:12 UTC 2024 

Hi Andreas

This has come up occasionally over the years - there is some background here: https://gitlab.com/openid/conformance-suite/-/issues/1165

The short answer however is that authorization servers should accept both forms.

Thanks

Joseph


> On 25 Nov 2024, at 09:22, Andreas Faafeng <andreas at faafeng.com> wrote:
> 
> Hi all,
> 
> I am new to OpenID so please forgive my ignorance.  I find myself in a situation where two parties cannot agree on which of the following is the correct interpretation of the OpenID specification with regards to scope separator encoding:
> 
> A. scope=openid+profile+email
> B. scope=openid%20profile%20email
> 
> The specification [1] states that "Query String Serialization" shall follow application/x-www-form-urlencoded format according to (the now out of date 2018, new link below) "HTML 4.01 Specification" [2] which in turn refers to [3], [4] which says:
> 
>  "URLSearchParams objects will percent-encode anything in the application/x-www-form-urlencoded percent-encode set, and will encode U+0020 SPACE as U+002B (+)."
> 
> Am I wrong to then assume that the above option A is indeed the correct interpretation of the OpenID specification such that its example [5] is misleading or even incorrect?  Can or shall both be accepted?
> 
> Thank you in advance for your time and effort.
> 
> [1] https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization
> [2] https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data
> [3] https://url.spec.whatwg.org/#concept-urlencoded
> [4] https://url.spec.whatwg.org/#example-constructing-urlsearchparams
> [5] https://openid.net/specs/openid-connect-core-1_0.html#codeExample
> 
> -- 
> Best regards
> Andreas
> _______________________________________________
> general mailing list
> general at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20241125/95d17436/attachment.htm>

More information about the general mailing list