Fix url-encoding in generateOtpAuthUrl and support UTF-8 key ids

[andi5]

When using generateOtpAuthUrl(), the contents are already url-encoded as that would fit for the chl query parameter of the qrImageUrl(). This way the plain URL is not usable, though.

As a side note, is it really a good idea to offer sharing secrets with google so easily? The user of the library should strive for high security, right?

[j256]

Thanks for the feedback @andi5 . Do you have any recommendations on other ways to get the QR code? Maybe publish a list of QR code generator websites?

[andi5]

I suppose you could have an optional dependency on a library that is able to create qr codes.
I would argue that the secret should not leave a "trusted domain" other than as encoded in a QR code that is to be consumed by a user. It should not go to Google or any other website that generates QR codes. At least this part should be documented clearly.

[j256]

RIght now the javadocs say: Return the QR image url thanks to Google.

That's not enough?

https://github.com/j256/two-factor-auth/blob/master/src/main/java/com/j256/twofactorauth/TimeBasedOneTimePasswordUtil.java#L445