PAR Request Object claim 'state' format: special characters are allowed or not?

[stedcl]

In the current version of the EUDI Wallet IT spec we found:

PAR Request Object claim 'state': Unique session identifier at the client side. This value will be returned to the client in the response, at the end of the authentication. It MUST be a random string composed by alphanumeric characters and with a minimum length of 32 digits.

This definition doesn't clarify if we can use special characters or not.

This specs:

• https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml
• https://www.rfc-editor.org/rfc/rfc6749.html#appendix-A.5
• https://stackoverflow.com/questions/50031993/what-characters-are-allowed-in-an-oauth2-access-token

define state as a VSCHAR, i.e. [^\x20-\x7E] --> from \x20 (space) to \x7E (~) .

It's possible to reference the right definition of the "alphanumeric characters" into the EUDI Wallet IT spec?

\x20: (spazio)
\x21: !
\x22: "
\x23: #
\x24: $
\x25: %
\x26: &
\x27: '
\x28: (
\x29: )
\x2A: *
\x2B: +
\x2C: ,
\x2D: -
\x2E: .
\x2F: /
\x30: 0
\x31: 1
\x32: 2
\x33: 3
\x34: 4
\x35: 5
\x36: 6
\x37: 7
\x38: 8
\x39: 9
\x3A: :
\x3B: ;
\x3C: <
\x3D: =
\x3E: >
\x3F: ?
\x40: @
\x41: A
\x42: B
\x43: C
\x44: D
\x45: E
\x46: F
\x47: G
\x48: H
\x49: I
\x4A: J
\x4B: K
\x4C: L
\x4D: M
\x4E: N
\x4F: O
\x50: P
\x51: Q
\x52: R
\x53: S
\x54: T
\x55: U
\x56: V
\x57: W
\x58: X
\x59: Y
\x5A: Z
\x5B: [
\x5C: \
\x5D: ]
\x5E: ^
\x5F: _
\x60: `
\x61: a
\x62: b
\x63: c
\x64: d
\x65: e
\x66: f
\x67: g
\x68: h
\x69: i
\x6A: j
\x6B: k
\x6C: l
\x6D: m
\x6E: n
\x6F: o
\x70: p
\x71: q
\x72: r
\x73: s
\x74: t
\x75: u
\x76: v
\x77: w
\x78: x
\x79: y
\x7A: z
\x7B: {
\x7C: |
\x7D: }
\x7E: ~

[pietroACN]

The specification looks clear from the last statement "..MUST be a random string composed by alphanumeric characters and with a minimum length of 32 digits"
If we see the NIST definition of Special Character, this is "Any non-alphanumeric character that can be rendered on a standard...", thus not alpha-numeric.