Special characters in redirect url

[YannickB]

Hello all,

I have some trouble with whitelisting my url redirect : http://localhost:3000/#/callback. I keep having the error message
debug=invalid_request error=invalid_request hint="Make sure that the various parameters are correct, be aware of case sensitivity and trim your parameters. Make sure that the client you are using has exactly whitelisted the redirect_uri you specified."

Here is the command I use to create client
hydra clients create -n "admin" -c http://localhost:3000/#/callback -g authorization_code,client_credentials -r id_token,code -a core,openid

When I try with the url http://localhost:3000/callback it works fine, so I'm wondering if something is not wrong and if I didn't catch a bug, maybe the # doesn't work with the whitelist. Unfortunately since I redirect to a react app I really need this # in the url, I have no workaround.

What do you think ?

[aeneasr]

Hashbangs/Hashtags are special in OAuth2 as they may only be used with the implicit grant so this works as intended. Note that the implicit grant is discouraged.

[YannickB]

Very well, this may cause some incompatibility with some react application I fear, using history/createHashHistory. But if it's part of the standard it can't be help.

Anyway, I ended up finding the difference between history/createHashHistory and history/createBrowserHistory, this solved my use case and hopefully others too. I find we can close.

[aeneasr]

The reason for this is primarily security concerns. Since all modern browsers allow access to the url bar, hash/hashbang urls are a thing of the past.