Anchor tag #

When we send authorization code, we use ("#") instead of URL as parameter ("?"). For example: https://localhost:8080/mobilepay-authorized#code=af9fb6334....

with regards to the specification, it should be a parameter: https://tools.ietf.org/html/rfc6749#section-4.1.2

The reason why we use "#" is because, we use identityserver, and it is their default set-up. Moreover, we do not implement the whole OpenId specification.You can easily configure it with a response_mode like this: 

response_mode

form_post sends the token response as a form post instead of a fragment encoded redirect (optional)

http://docs.identityserver.io/en/latest/endpoints/authorize.html

Furthermore, it should also be more secure to have data as a fragment instead of query, because there is nobody that saves it and reads it.