diff --git a/ChangeLog b/ChangeLog
index 9c4551f..7cfa7bb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+10/11/2018
+- url-encode client_id/client_secret; closes #204 and #205; thanks @grrolland
+  https://tools.ietf.org/html/rfc6749#section-2.3.1
+
 10/8/2018
 - make call_token_endpoint a public function
 
diff --git a/README.md b/README.md
index 7cc6fba..2befa73 100644
--- a/README.md
+++ b/README.md
@@ -118,8 +118,11 @@ http {
              -- and could not set the hostname
 
              discovery = "https://accounts.google.com/.well-known/openid-configuration",
+             -- For non compliant OPs to OAuth 2.0 RFC 6749 for client Authentication (cf. https://tools.ietf.org/html/rfc6749#section-2.3.1)
+             -- client_id and client_secret MUST be invariant when url encoded
              client_id = "<client_id>",
-             client_secret = "<client_secret>"
+             client_secret = "<client_secret>",
+              
              --authorization_params = { hd="zmartzone.eu" },
              --scope = "openid email profile",
              -- Refresh the users id_token after 900 seconds without requiring re-authentication
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
index 9fb105a..88f1e4d 100644
--- a/lib/resty/openidc.lua
+++ b/lib/resty/openidc.lua
@@ -391,7 +391,7 @@ function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name)
   if auth then
     if auth == "client_secret_basic" then
       if opts.client_secret then
-        headers.Authorization = "Basic " .. b64(opts.client_id .. ":" .. opts.client_secret)
+          headers.Authorization = "Basic " .. b64(ngx.escape_uri(opts.client_id) .. ":" .. ngx.escape_uri(opts.client_secret))
       else
       -- client_secret must not be set if Windows Integrated Authentication (WIA) is used with
       -- Active Directory Federation Services (AD FS) 4.0 (or newer) on Windows Server 2016 (or newer)