diff --git a/src/oic/utils/authn/client.py b/src/oic/utils/authn/client.py
index 4250d8d8d..fb2cba348 100644
--- a/src/oic/utils/authn/client.py
+++ b/src/oic/utils/authn/client.py
@@ -106,8 +106,9 @@ def construct(self, cis, request_args=None, http_args=None, **kwargs):
         if "headers" not in http_args:
             http_args["headers"] = {}
 
-        http_args["headers"]["Authorization"] = "Basic {}".format(
-            b64e_enc_dec("{}:{}".format(user, passwd), "utf-8", "utf-8"))
+        credentials = "{}:{}".format(user, passwd)
+        authz = base64.urlsafe_b64encode(credentials.encode("utf-8")).decode("utf-8")
+        http_args["headers"]["Authorization"] = "Basic {}".format(authz)
 
         try:
             del cis["client_secret"]
diff --git a/tests/test_client.py b/tests/test_client.py
index d17a01f84..92d5ccbe2 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -49,9 +49,17 @@ def test_construct(self, client):
         http_args = csb.construct(cis)
 
         assert http_args == {"headers": {"Authorization": "Basic {}".format(
-            base64.b64encode("A:boarding pass".encode("utf-8")).decode(
+            base64.urlsafe_b64encode("A:boarding pass".encode("utf-8")).decode(
                 "utf-8"))}}
 
+    def test_does_not_remove_padding(self):
+        cis = AccessTokenRequest(code="foo", redirect_uri="http://example.com")
+
+        csb = ClientSecretBasic(None)
+        http_args = csb.construct(cis, user="ab", password="c")
+
+        assert http_args["headers"]["Authorization"].endswith("==")
+
 
 class TestBearerHeader(object):
     def test_construct(self, client):