Patch by Andi Albrecht. He writes: "I've tracked it down and found the function that encodes the URL parameters again. The additional URL quoting happens in url-retrieve-internal when the given url is a multibyte string. In that case url-hexify-string is called a second time. But I was not able to find the actual root cause, i.e. why the first URL for checkToken is a multibyte-string and the second request (getFrob) isn't." Fixes #2.