OK, it seems that PHP did not default support Section 5 of RFC 4648, "Base 64 Encoding with URL and Filename Safe Alphabet." This function allows PHP to handle the 4 out-lier chars before base64_decode:
function base64url_decode($base64url) {
$base64 = strtr($base64url, '-_', '+/');
$plainText = base64_decode($base64);
return ($plainText);
}
My thanks to the anonymous "Tom" who posted it on PHP.net 6 years ago.