diff --git a/pkg/client/client.go b/pkg/client/client.go
index c1663b1a..b05ccb6f 100644
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@@ -156,7 +156,7 @@ type RevokeRequest struct {
 
 func (r RevokeRequest) Auth(req *http.Request) {
 	if r.ClientSecret != "" {
-		req.SetBasicAuth(r.ClientID, r.ClientSecret)
+		req.SetBasicAuth(url.QueryEscape(r.ClientID), url.QueryEscape(r.ClientSecret))
 	}
 }
 
@@ -274,7 +274,7 @@ type DeviceAccessTokenRequest struct {
 
 func (r *DeviceAccessTokenRequest) Auth(req *http.Request) {
 	if r.ClientSecret != "" {
-		req.SetBasicAuth(r.ClientID, r.ClientSecret)
+		req.SetBasicAuth(url.QueryEscape(r.ClientID), url.QueryEscape(r.ClientSecret))
 	}
 }
 
diff --git a/pkg/client/rp/relying_party.go b/pkg/client/rp/relying_party.go
index b7566180..ce5aa639 100644
--- a/pkg/client/rp/relying_party.go
+++ b/pkg/client/rp/relying_party.go
@@ -818,7 +818,7 @@ type RefreshTokenRequest struct {
 
 func (r RefreshTokenRequest) Auth(req *http.Request) {
 	if r.ClientSecret != "" {
-		req.SetBasicAuth(r.ClientID, r.ClientSecret)
+		req.SetBasicAuth(url.QueryEscape(r.ClientID), url.QueryEscape(r.ClientSecret))
 	}
 }
 
diff --git a/pkg/oidc/token_request.go b/pkg/oidc/token_request.go
index eeed1818..70ed5489 100644
--- a/pkg/oidc/token_request.go
+++ b/pkg/oidc/token_request.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"net/url"
 	"slices"
 	"time"
 
@@ -247,6 +248,6 @@ type ClientCredentialsRequest struct {
 
 func (r *ClientCredentialsRequest) Auth(req *http.Request) {
 	if r.ClientSecret != "" {
-		req.SetBasicAuth(r.ClientID, r.ClientSecret)
+		req.SetBasicAuth(url.QueryEscape(r.ClientID), url.QueryEscape(r.ClientSecret))
 	}
 }