<div dir="auto">Both are valid URL string encodings for a space </div><div dir="auto"><br></div><div dir="auto">The spec says space delimited </div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 25, 2024 at 12:13 PM Joseph Heenan <<a href="mailto:joseph@authlete.com">joseph@authlete.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div style="line-break:after-white-space">Hi Andreas<div><br></div><div>This has come up occasionally over the years - there is some background here: <a href="https://gitlab.com/openid/conformance-suite/-/issues/1165" target="_blank">https://gitlab.com/openid/conformance-suite/-/issues/1165</a></div><div><br></div><div>The short answer however is that authorization servers should accept both forms.</div><div><br></div><div>Thanks</div></div><div style="line-break:after-white-space"><div><br></div><div>Joseph</div><div><br id="m_326046913236648089lineBreakAtBeginningOfMessage"><div><br><blockquote type="cite"><div>On 25 Nov 2024, at 09:22, Andreas Faafeng <<a href="mailto:andreas@faafeng.com" target="_blank">andreas@faafeng.com</a>> wrote:</div><br><div><div>Hi all,<br><br>I am new to OpenID so please forgive my ignorance.  I find myself in a situation where two parties cannot agree on which of the following is the correct interpretation of the OpenID specification with regards to scope separator encoding:<br><br>A. scope=openid+profile+email<br>B. scope=openid%20profile%20email<br><br>The specification [1] states that "Query String Serialization" shall follow application/x-www-form-urlencoded format according to (the now out of date 2018, new link below) "HTML 4.01 Specification" [2] which in turn refers to [3], [4] which says:<br><br>  "URLSearchParams objects will percent-encode anything in the application/x-www-form-urlencoded percent-encode set, and will encode U+0020 SPACE as U+002B (+)."<br><br>Am I wrong to then assume that the above option A is indeed the correct interpretation of the OpenID specification such that its example [5] is misleading or even incorrect?  Can or shall both be accepted?<br><br>Thank you in advance for your time and effort.<br><br>[1] <a href="https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization" target="_blank">https://openid.net/specs/openid-connect-core-1_0.html#QuerySerialization</a><br>[2] <a href="https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data" target="_blank">https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#url-encoded-form-data</a><br>[3] <a href="https://url.spec.whatwg.org/#concept-urlencoded" target="_blank">https://url.spec.whatwg.org/#concept-urlencoded</a><br>[4] <a href="https://url.spec.whatwg.org/#example-constructing-urlsearchparams" target="_blank">https://url.spec.whatwg.org/#example-constructing-urlsearchparams</a><br>[5] <a href="https://openid.net/specs/openid-connect-core-1_0.html#codeExample" target="_blank">https://openid.net/specs/openid-connect-core-1_0.html#codeExample</a><br><br>-- <br>Best regards<br>Andreas<br>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br><a href="https://lists.openid.net/mailman/listinfo/openid-general" target="_blank">https://lists.openid.net/mailman/listinfo/openid-general</a><br></div></div></blockquote></div><br></div></div>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net" target="_blank">general@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-general" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-general</a><br>
</blockquote></div></div>