diff --git a/config/kube_config.py b/config/kube_config.py
index ddd3d02b..c7715161 100644
--- a/config/kube_config.py
+++ b/config/kube_config.py
@@ -253,17 +253,20 @@ def _load_oid_token(self, provider):
             return
 
         parts = provider['config']['id-token'].split('.')
-
-        if len(parts) != 3:  # Not a valid JWT
+        # check for invalid JWT
+        url_chars = '=+/'
+        if len(parts) != 3 or any(x in url_chars for x in parts):
             return None
 
+        padding = (4 - len(parts[1]) % 4) * '='
+
         if PY3:
             jwt_attributes = json.loads(
-                base64.b64decode(parts[1]).decode('utf-8')
+                base64.urlsafe_b64decode(parts[1] + padding).decode('utf-8')
             )
         else:
             jwt_attributes = json.loads(
-                base64.b64decode(parts[1] + "==")
+                base64.b64decode(parts[1] + padding)
             )
 
         expire = jwt_attributes.get('exp')
diff --git a/config/kube_config_test.py b/config/kube_config_test.py
index a79efb9a..b88bc0d6 100644
--- a/config/kube_config_test.py
+++ b/config/kube_config_test.py
@@ -43,6 +43,12 @@ def _base64(string):
     return base64.encodestring(string.encode()).decode()
 
 
+def _unpadded_base64(string):
+    return base64.b64encode(string.encode()).decode().rstrip('=')
+
+def _unpadded_base64_urlsafe(string):
+    return base64.urlsafe_b64encode(string.encode()).decode().rstrip('=')
+
 def _format_expiry_datetime(dt):
     return dt.strftime(EXPIRY_DATETIME_FORMAT)
 
@@ -82,16 +88,18 @@ def _raise_exception(st):
 TEST_CLIENT_KEY = "client-key"
 TEST_CLIENT_KEY_BASE64 = _base64(TEST_CLIENT_KEY)
 TEST_CLIENT_CERT = "client-cert"
-TEST_CLIENT_CERT_BASE64 = _base64(TEST_CLIENT_CERT)
+TEST_CLIENT_CERT_BASE64 = _unpadded_base64_urlsafe(TEST_CLIENT_CERT)
 
 
 TEST_OIDC_TOKEN = "test-oidc-token"
 TEST_OIDC_INFO = "{\"name\": \"test\"}"
-TEST_OIDC_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_INFO)
+TEST_OIDC_BASE = _unpadded_base64(
+    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_INFO)
 TEST_OIDC_LOGIN = TEST_OIDC_BASE + "." + TEST_CLIENT_CERT_BASE64
 TEST_OIDC_TOKEN = "Bearer %s" % TEST_OIDC_LOGIN
 TEST_OIDC_EXP = "{\"name\": \"test\",\"exp\": 536457600}"
-TEST_OIDC_EXP_BASE = _base64(TEST_OIDC_TOKEN) + "." + _base64(TEST_OIDC_EXP)
+TEST_OIDC_EXP_BASE = _unpadded_base64(
+    TEST_OIDC_TOKEN) + "." + _unpadded_base64(TEST_OIDC_EXP)
 TEST_OIDC_EXPIRED_LOGIN = TEST_OIDC_EXP_BASE + "." + TEST_CLIENT_CERT_BASE64
 TEST_OIDC_CA = _base64(TEST_CERTIFICATE_AUTH)