[Openid-specs-ab] A comment from Randy Hudson [2200661:2644405]

[Mike Jones]

Hi Randy,

Thank you for taking the time to comment on the OpenID Connect Core specification.  The OpenID Connect working group discussed your comment during the February 6th working group call.  The working group agreed with Thomas Broyer’s response to it, which you can find at http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20170130/006430.html, which stated that there are no differences between the encoding rules for the two cases, as far as we can tell.  If we’re missing something, please let us know.

                                                       Best wishes,
                                                       -- Mike Jones
                           OpenID Connect Working Group Co-Chair

From: Open ID Help [mailto:help at oidf.org]
Sent: Friday, January 27, 2017 3:00 PM
To: mike.leszcz at oidf.org
Cc: Mike Jones <Michael.Jones at microsoft.com>
Subject: FW: A comment from Randy Hudson [2200661:2644405]

Hello,

Please see the comment below.

Thank you,
Jessica

OpenID Foundation Finance & Membership Services
help at oidf.org<mailto:help at oidf.org>
2400 Camino Ramon, Suite 375
San Ramon, CA 94583, USA
T. +1.925.275.6639 F. +1.925.275.6691

-----Original Message-----
From: help at oidf.org<mailto:help at oidf.org>
Sent: 1/27/2017 7:19 AM
To: help at oidf.org<mailto:help at oidf.org>
Subject: A comment from Randy Hudson

a form has been submitted on January 27, 2017, via: http://openid.net/foundation/contact/ [IP 9.27.98.110, 129.42.208.182, 129.42.208.182]

Contact Form
Your Name

Randy Hudson

Email

hudsonr at us.ibm.com<mailto:hudsonr at us.ibm.com>

Website

http://www.ibm.com

Message

The core specification (http://openid.net/specs/openid-connect-core-1_0.html) incorrectly specifies that "application/x-www-form-urlencoded" form should be used for encoding query param values in a *URL*. Despite its name, application/x-www-form-urlencoded is only for the body of an HTTP request. The biggest different is in how PLUS and SPACE characters are encoded/decoded. The examples, however, actually encode SPACE correctly in a URL, using %20, rather than as '+' (if form encoding format were really being used).

In the examples that use POST to send params, application/x-www-form-urlencoded makes sense, but the examples show %20 used to encode SPACE, rather than '+'.

The scenario where this is most likely to cause a problem would be if a param value ever needed to contain a '+' character.

powered by cformsII<http://www.deliciousdays.com/cforms-plugin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170209/5eedadfb/attachment.html>