Does OpenID Connect support the quoting of scopes?
For example, is requesting the openid scope the same as requesting the "openid" scope?
If so, does this mean that scopes are allowed to contain spaces?
I tried looking through this specification, but it is ambiguous on this issue.
See in the original oauth2 rfc:
The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.
scope = scope-token *( SP scope-token )
scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
According to this, openid and "openid" are different scopes, and a space delimits scope names (therefore not allowed as part of a scope name).
Note though that in scope-token, it explicitly omits %x22, which is the double quote. So "openid" is not a valid scope name. Btw it also removes %x5C, which is a backslash, presumably to make validation easier in authorization server implementations.