The general consensus amongst the OpenID Connect scolars is that authorization servers should accept both forms:
A. scope=openid+profile+email B. scope=openid%20profile%20email
See also https://gitlab.com/openid/conformance-suite/-/issues/1165