We are seeing an issue where Openid is complaining of an illegal character and throwing a 500.

The incoming query string contains a + character, which seems to be getting replaced with a space and its complaining about the same and throwing an exception.

In this particular case, it was the OIDC 'state' value that contained the unencoded + character.

Release : 12.8.05

Component : SITEMINDER SECURE PROXY SERVER

The OIDC state parameter value contained a + character which needs to be encoded before including on a query string.

Use Base64url encoding on OIDC state values to avoid any characters that require URL-encoding.  Merely URL-encoding the state value may not work since some browsers will decode the encoded portion of the query string before submitting it back to the server.  Since the state value is used for exact comparisons, a state value that has been URL-decoded will not match the encoded value and cause the request to fail, thus Base64url encoding is recommended.