Anchor tag #

When we send authorization code, we use ("#") instead of URL as parameter ("?"). For example: https://localhost:8080/mobilepay-authorized#code=af9fb6334....

with regards to the specification, it should be a parameter:

The reason why we use "#" is because, we use identityserver, and it is their default set-up. Moreover, we do not implement the whole OpenId specification.You can easily configure it with a response_mode like this: 


form_post sends the token response as a form post instead of a fragment encoded redirect (optional)

Furthermore, it should also be more secure to have data as a fragment instead of query, because there is nobody that saves it and reads it.