URI fragment after # (hash) is being stripped off

anshul_
Participant IV

For one of our scenarios, we are integrating Apigee with Auth0. As part of that, we have configured Apigee proxy URI as the callback URI in Auth0 portal for implicit OAuth.

But when the Apigee callback proxy gets a request with access token as a URI fragment (eg. /auth-0/callback#access_token=wpooD8K0Ehc2H), it is stripping off the part after # (hash), and that's why we are unable to retrieve the access token.

Is there any way to fix this issue apart from replacing "#" with "%23" in our query string, which is not feasible for us?

3 2 491
2 REPLIES 2

Not applicable

@aagrawal, Are you sure the client is able to send the token after #?

Most (Maybe all)of the clients like browsers, curl etc will not even send the content after # as it is considered as unsafe.

The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it.

More info here https://www.ietf.org/rfc/rfc1738.txt

Yes, as @Maruti Chand points out, the # character in a URL indicates a fragment.

This is used to communicate a specific thing to the user-agent (client, or browser) .

When invoking a request, most clients do not pass the # or what follows, as it is not meaningful to servers, according to the specs.

But possibly there is a workaround. I'm not clear on the flow. Can you provide a sequence diagram or similar to show what is really happening?

Normally the # is included in an OAuth callback, for implicit flow. But that callback normally is not proxied. Instead it is sent to one of the URLs registered for that client, with the OAuth server. But I'm not clear which actor is the oauth server here, which one is the client, and so on. If you had a sequence diagram it would be clear.