oauth2: percent-encode '+' in token request body parameters

[garimauttam]

PercentEncoding::encode in oauth_client.cc was missing + from its reserved charset (":/=&?"). In application/x-www-form-urlencoded, an unencoded + is interpreted as a space by the server — so OAuth2 credentials containing + (e.g. Azure AD / Entra ID client secrets) were silently mangled, resulting in 401 AADSTS7000215: Invalid client secret.

Why it matters

Base64-encoded secrets commonly contain +. This caused silent, hard-to-debug auth failures with no indication the secret was being corrupted in transit.

Change

• ":/=&?" → ":/=&?+" across all 9 PercentEncoding::encode calls in asyncGetAccessToken and asyncRefreshAccessToken
• Covers all auth types (UrlEncodedBody, BasicAuth, TlsClientAuth) and all parameters (client_id, client_secret, redirect_uri, code_verifier, refresh_token)

Tests

3 new unit tests in oauth_test.cc assert + → %2B for client_secret, client_id, and refresh_token.

Fixes #43686

[agrawroh]

cc @zhaohuabing @wbpcode for a review.

[zhaohuabing]

Hi @garimauttam thanks for fixing this! Since the reserved character set appears in multiple places, would it make sense to define it as a constant and reuse it throughout?

[wbpcode]

gently ping @zhaohuabing

[zhaohuabing]

Hi @garimauttam Could you please fix the format?

https://github.com/envoyproxy/envoy/actions/runs/23315013831/job/67812067258

[rubenceroni]

Hi @garimauttam are you still working on this? can i help get this merged?

[garimauttam]

Hi @garimauttam are you still working on this? can i help get this merged?

@rubenceroni thanks. I’ve fixed the format failure. I’d really appreciate a quick review to help get this merged.