OpenID Explicit flow approval step returns html anchor


just playing around with the REST API. There is more than one way to get a token but I wanted to get the use case working where a user is frist directed to for authentication, responds with an access token which is then exchanged into an authorization token.

The docs state

Success behavior: After successfully authenticating and accepting the requested scope, the user will be redirected back to the redirect_uri provided by the prior step.`

All good 'cause the redirect_uri that is being redirected to is supposed to contain the access_token.
However even if the requested redirect_uri is something like “https://localhost:8080/test/test2”, the resulting redirect goes to e.g.


Notice the “#” in the URI. That is a HTML anchor and browsers do NOT send everything behind it to the http server. That means my backend code never sees the returned access_token.

The resulting URI should be e.g.

Notice the “?” instead of the “#”.
The code on the mydevices side should either append its parameters with a “?” if the requested return_uri doesn’t contain any URL parameters itself or append its parameters with a “&” if there are already URL parameters in the return_uri.

I mean… am I missing something here?

Any pointers to where I’m doing it wrong are appreciated.


can you share the curl or the exact call you are making.

The first call is a simple GET:

The result of this is this:


You will have to implement explicit flow to achieve what you want.
Instead of passing response_type=token you will have to pass response_type=code.

Then on your application you will be able to exchange this code for an access token.
This can be done with the following request:

curl --request POST
–header ‘content-type: application/x-www-form-urlencoded’
–data grant_type=authorization_code
–data ‘client_id=’
–data ‘client_secret=’
–data ‘redirect_uri=’
–data ‘code=’
–data ‘scope=email profile’

Where client_id and client_secret are the client credentials you get from the Cayenne web app.
redirect_uri must be the same you used when you first redirect the end user.
code is the code provided by the Identity Provider during this callback.

Ideally your application will check that the session passed back at this step by our identity provider is equal to the session_state you provided in the first place.

Our identity provider service will then reply with an access token that you can use to consume our API.

Here a good step by step tutorial on to implement explicit flow.
Hope this helps