9

In the following post they use the term hash fragment. I am not quite sure what they mean by that. Are they referring to the text after a hash in a url?

e.g. www.someurl.com#somefragment

The blurb I am looking at in the article is below

In the implicit flow the access token is passed directly as a hash fragment (not as a URL parameter). One important thing about hash fragment is that, once you follow a link containing a hash fragment, only the browser is aware of the hash fragment. Browsers will pass the hash fragment directly to the destination webpage (the redirect URI / the client's webpage). Hash fragment have the following properties:

Community
  • 1
  • 1
Ryan-Neal Mes
  • 6,003
  • 7
  • 52
  • 77

1 Answers1

10

Yes, you're correct. They refer to the URL part after the # character.

In example.com#state=dJfw&access_token=lkTyd234AsdF the hash fragment (fragment component) would be:

state=dJfw&access_token=lkTyd234AsdF

This is used by the OAuth2 implicit grant to deliver the response data. In the specification, the terminology used is either fragment component or fragment.

In contrast, the authorization code grant would deliver the information in the query part of the URL, example.com?state=asdTwe3SD&code=kjh56Sdgv.

João Angelo
  • 56,552
  • 12
  • 145
  • 147