Redirect URL has fragments

[anupambha...@gmail.com]

The redirect URL does not allow fragments and I am not able to authorize the user. Is there any work around to achieve this ? 

Frontend : Angularjs

Backend : NodeJS(waterline sails)

[Mark Scrimshire]

The Blue Button 2.0 API Redirect_URI does not accept the Hash (#) as a fragment in the URI. 

The OAuth2.0 specification uses the Hash to send the AccessToken when using the Implicit flow. 

Therefore a Hash fragment in the Redirect_URI would get replaced. You  should look at passing information using a query parameter. 

Some interesting posts about OAuth2.0 and Fragments:

[Thread Safe: OAuth 2 and Fragment encoding.](http://www.thread-safe.com/2014/05/oauth-2-and-fragment-encoding.html)

https://weblog.bulknews.net/covert-redirect-vulnerability-with-oauth-2-2c1f3083b1b4

if you are using Angular you might want to check out the comments here:

https://github.com/auth0/auth0.js/issues/360

particularly the last entry by Sojer23. He suggests a way to add code to the Angular App Manager to alter the handling of the hash for routing.

If you are using the Hash for routing in your Angular app it is probably getting confused with the response from Auth2.0 in the Implicit flow.

- Mark