The OAuth spec doesn't require tokens to be URL-safe. It's nice if they are, but it's not required.
Tokens (and other parameters) from the service provider are percent encoded. See http://tools.ietf.org/html/rfc5849#section-2.1 and http://tools.ietf.org/html/rfc5849#section-2.3 Request parameters must also be percent encoded. See http://tools.ietf.org/html/rfc5849#section-3.5 -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.