RFC4648 "The Base16, Base32, and Base64 Data Encodings" defines web-safe base64 (and "normal" base64) <http://tools.ietf.org/html/rfc4648#section-5>.
The spec suggests calling it "base64url". The spec explicitly states that: "in some circumstances, the use of padding ("=") in base-encoded data is not required or used" though it also says that a specification using Base64 needs to explicitly state that padding is omitted in its circumstances. It makes sense to omit the padding when using base64url, as "=" isn't web-safe (it isn't an <unreserved> char). Padding in base64 is pointless so there is no technical problem in omitting it. Not using "normal" base64 is a disadvantage, but well worth it to avoid a unnecessary layer of escaping. Various Base64 libraries support base64url and no padding when called with appropriate flags. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth