Comment 3 for bug 1433372

As it turns out, the output of base64.urlsafe_b64encode() is not actually URL-safe if the result includes padding. The padding character is '=' which must be percent-encoded.

The result is that "valid" tokens are being made URL-friendly by some defensive code in keystonemiddleware, and are thus made unusable by keystone during validation.

  https://travis-ci.org/dolph/keystone-deploy/builds/54734386

If keystone emitted URL-safe tokens in the first place, the defensive code in keystonemiddleware wouldn't be triggered, and everything works properly.

Unfortunately, PKI and PKIZ tokens exhibit a similar symptom, but apparently due to a different cause.