[OpenID] Scope separator encoding: "+" vs "%20"

Dick Hardt dick.hardt at gmail.com
Mon Nov 25 12:44:45 UTC 2024 

Both are valid URL string encodings for a space

The spec says space delimited

On Mon, Nov 25, 2024 at 12:13 PM Joseph Heenan <joseph at authlete.com> wrote:

> Hi Andreas
>
> This has come up occasionally over the years - there is some background
> here: https://gitlab.com/openid/conformance-suite/-/issues/1165
>
> The short answer however is that authorization servers should accept both
> forms.
>
> Thanks
>
> Joseph
>
>
> On 25 Nov 2024, at 09:22, Andreas Faafeng <andreas at faafeng.com> wrote:
>
> Hi all,
>
> I am new to OpenID so please forgive my ignorance.  I find myself in a
> situation where two parties cannot agree on which of the following is the
> correct interpretation of the OpenID specification with regards to scope
> separator encoding:
>
> A. scope=openid+profile+email
> B. scope=openid%20profile%20email
>
> The specification [1] states that "Query String Serialization" shall
> follow application/x-www-form-urlencoded format according to (the now out
> of date 2018, new link below) "HTML 4.01 Specification" [2] which in turn
> refers to [3], [4] which says:
>
>  "URLSearchParams objects will percent-encode anything in the
> application/x-www-form-urlencoded percent-encode set, and will encode
> U+0020 SPACE as U+002B (+)."
>
> Am I wrong to then assume that the above option A is indeed the correct
> interpretation of the OpenID specification such that its example [5] is
> misleading or even incorrect?  Can or shall both be accepted?
>
> Thank you in advance for your time and effort.
>
> [1]
> https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization
> [2]
> https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data
> [3] https://url.spec.whatwg.org/#concept-urlencoded
> [4] https://url.spec.whatwg.org/#example-constructing-urlsearchparams
> [5] https://openid.net/specs/openid-connect-core-1_0.html#codeExample
>
> --
> Best regards
> Andreas
> _______________________________________________
> general mailing list
> general at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20241125/b7628865/attachment.htm>

More information about the general mailing list