In Okta’s OIDC /authorize endpoint (OpenID Connect & OAuth 2.0 API | Okta Developer), when using a code auth flow, it appends
#code=1234-5678-9012 to the end of the redirect_uri instead of appending the same url param with a question mark ("?"). The docs don’t specifically say that they are appended as a query string / URL param, but that would seem to make things easier for developers like me who are used to parsing a URL for individual params. This isn’t possible with the hashtag ("#"), and I have to manually regex for the code value.
I’m not necessarily asking for a change but more trying to understand why it was built this way. Thanks!
Definition of a query string / URL params: Query string - Wikipedia