[Bug] The use of "+" instead of "%20" in URLs is not supported by some third party IDPs #5061
Description
Library version used
4.66.2
.NET version
.NET Framework 4.8
Scenario
PublicClient - desktop app
Is this a new or an existing app?
The app is in production, I haven't upgraded MSAL, but started seeing this issue
Issue description and reproduction steps
Some third party Identity Providers [namely Broadcom Siteminder] do NOT allow the usage of "+" to represent a space in URLs, in particular to separate scopes in the "authorize" endpoint.
So the default scope string "openid profile offline_access", being encoded in the URL string as "openid+profile+offline_access", is interpreted by the IDP as a SINGLE scope "openid+profile+offline_access", which is of course rejected.
Steps to reproduce: try to log in into Siteminder.
Relevant code snippets
No response
Expected behavior
No response
Identity provider
Other
Regression
No response
Solution and workarounds
The solution I propose requires a minimal change: just comment out the line 34 in CoreHelpers.cs:
public static string UrlEncode(string message)
{
if (string.IsNullOrEmpty(message))
{
return message;
}
message = Uri.EscapeDataString(message);
//message = message.Replace("%20", "+"); // THIS IS NOT NEEDED
return message;
}The replacement of "%20" with "+" is NOT needed and this action actually harms compatibility.
There is NO workaround for this issue. In order to support SiteMinder I had to fork MSAL.NET to apply this change.