The redirect url failed to handle SPA url with hash

I set a callback url as http://localhost:4000/#/callback but auth0 give me a http://localhost:4000/#access_token=....

1 Like

Per the OAuth2 specification the recommended flow for a SPA is to use the implicit grant flow which, by default, implies that the authorization response needs to be provided as the fragment component of the redirect URI. Due to this requirement the method of communicating the response effectively removes the possibility of you to make use of your own fragment.

At this point, a possible workaround that assumes some collaboration from the web server, would be for you to consider the use of the form_post response mode which delivers the authorization response as Form POST to the redirect URI instead of using the fragment component.