From be6e43e7b0b449dcbb6d597f5fe243ba5235cf75 Mon Sep 17 00:00:00 2001
From: Eugene Blikh <bigbes@gmail.com>
Date: Sun, 26 Apr 2026 18:16:10 +0300
Subject: [PATCH] oidcstub: percent-encode authorize redirect query params
 (PC1)

---
 internal/testutil/oidcstub/oidcstub.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/internal/testutil/oidcstub/oidcstub.go b/internal/testutil/oidcstub/oidcstub.go
index d10e17ba6dbe08de10d2eb3792e2af2cb33e7fbc..47ab193fdb48cb761cd76cfe1d36cf52155bdf53 100644
--- a/internal/testutil/oidcstub/oidcstub.go
+++ b/internal/testutil/oidcstub/oidcstub.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"math/big"
 	"net/http"
+	"net/url"
 	"time"
 
 	"go.bigb.es/auxilia/culpa"
@@ -349,11 +350,14 @@ func (s *Stub) handleAuthorize(w http.ResponseWriter, r *http.Request) {
 
 	code := s.codes.Issue(s.devStubUser, codeChallenge, redirectURI, 5*time.Minute)
 
-	location := redirectURI + "?code=" + code
+	// Per RFC 6749 §4.1.2, the redirect Location's query parameters must be
+	// properly percent-encoded. The current SPA only emits URL-safe chars,
+	// but PC1 requires literal RFC compliance for real-OP parity.
+	out := url.Values{"code": {code}}
 	if state != "" {
-		location += "&state=" + state
+		out.Set("state", state)
 	}
-	http.Redirect(w, r, location, http.StatusFound)
+	http.Redirect(w, r, redirectURI+"?"+out.Encode(), http.StatusFound)
 }
 
 // handleToken implements the token endpoint (RFC 6749 §4.1.3, RFC 7636 §4.6).