Base64url seems a better option over base64

[sandersaares]

At the moment, TAC does not specify the URL-safe variant of base64 to be used. As the Access Token is a part of the request URL, it seems to make sense to use URL-safe base64 encoding (aka "base64url"), as normal base64 is not URL-safe due to the presence of / and + characters, which will cause interoperability problems.

[edrthomas]

Addressed in Security TF call 16-11-09

As mentioned in minutes, see accepted resolution for this issue.