oidcc-rp-initiated-logout: Avoid use of ';' in states
This test
https://www.certification.openid.net/log-detail.html?log=5tytkRRnuHQ7AmE&public=true
is failing the state verification.
The return URL that we submit back is:
https://www.certification.openid.net/test/a/duende_oidc/post_logout_redirect?state=ZdMfMnbohbhCASjaeKFpgUNFfVmVkRhRyQOVLlxOyCfFVAPgsJ0227905547.%23%2F%22~(%25%7B%26;!%5D,%3A%3A%26%25%3E;%5D%3E%3A%27%7B~)%7C~
spring seems to be truncating the incoming url query at the unencoded ';' for reasons that aren't entirely clear.
According to https://tools.ietf.org/html/rfc3986#section-3.4 the ABNF for the query is:
query = *( pchar / "/" / "?" )
and pchar is this:
pchar = unreserved / pct-encoded / sub-delims / ":" / "@"
and sub-delims is this:
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
so a literal ';' appears to be valid. Although other software that has passed the logout tests have encoded the ';', e.g.:
https://www.certification.openid.net/log-detail.html?log=tjEVVhBqll6xFyO&public=true
At least for now it seems sane to avoid ';' in states we generate. Possibly really the specs should discourage the use of ';' and a few other problematic characters.
Originally discussed at https://openid.atlassian.net/jira/servicedesk/projects/OCS/queues/custom/10/OCS-13 and https://openid.atlassian.net/jira/servicedesk/projects/OCS/queues/custom/10/OCS-14