Not sure if this helps or not, but we were running into a similar issue; it looks like in the URL you posted you have your scope url-encoded, so the "+" shows up as %2B. On our end we were able to fix our issue by excluding the scope line from being url-encoded so the "+" characters generate as a "+", and not as "%2B". Hopefully this helps! On the old authorize endpoints %2B was working without any problems, so I guess this new one for some reason isn't handling properly when it is url-encoded.
... View more