I'm trying to create a new Gmail add-on using Google Apps Script and trying to access third-party, non-Google API. For that I am using O-Auth 2.0 Implicit Grant-Type for authentication.

This is how the AuthService looks like :

function getOAuthService() {
  return OAuth2.createService('Podio O-Auth')
    .setAuthorizationBaseUrl('Base Url')
    .setTokenUrl('Token Url')
    .setClientId('clientId')
    .setClientSecret('clientSecret')
    .setParam('redirect_uri', 'https://script.google.com/macros/d/' + scriptID + '/usercallback')
    .setScope('GLOBAL')
    .setCallbackFunction('authCallback')
    .setCache(CacheService.getUserCache())
    .setParam('response_type', 'token')
    .setParam('response_mode', 'query')
    .setParam('state', getStateToken('authCallback')) // function to generate the state token on the fly
    .setPropertyStore(PropertiesService.getUserProperties());
}

The script correctly generates an URL that includes my redirect_uri
Auth picks up the request, generates a token, and redirects me to the scripts.google.com domain.

Once hitting scripts.google.com, I am redirected to an URL that includes my custom domain, e.g.

https://script.google.com/a/macros/[custom-domain]/d/[script-id]/usercallback#access_token=[token]&expires_in=7200&token_type=Bearer&state=[state]&id_token=[token]

Which results in this error:

because the url is fragmented by #. If I replace the # with ?, then it works as expected.

Can anyone please tell me how can I fix this issue? If not then do I have to Authorization code grant flow for this purpose ?

Note: I have used setParam('response_type', 'token') for Implicit Grant-Type

Per your question in the apps-script-oauth2 GitHub repo, your particular implementation of OAuth in Apps Script (using that library) does not support Implicit Grant. Given that Apps Script executes in the server (and not the client, where implicit grant is most useful), it is not likely that the library you use will be extended to support it either.

The library currently doesn't support implicit grants. Google AppScript supports server side flow. So, I set the response_type = code and this is the working authorization service looks like:

function getOAuthService() {
  return OAuth2.createService('Podio O-Auth')
    .setAuthorizationBaseUrl('Base Url')
    .setTokenUrl('Token Url')
    .setClientId('clientId')
    .setClientSecret('clientSecret')
    .setParam('redirect_uri', 'https://script.google.com/macros/d/' + scriptID + '/usercallback')
    .setScope('GLOBAL')
    .setCallbackFunction('authCallback')
    .setCache(CacheService.getUserCache())
    .setParam('response_type', 'code')
    .setParam('response_mode', 'query')
    .setParam('state', getStateToken('authCallback')) // function to generate the state token on the fly
    .setPropertyStore(PropertiesService.getUserProperties());
}

It internally first calls the autorizatiionBaseUrl and recieves the authorization code. And with this authorization code it agains makes a post request to TokenUrl to get the auth_token, refresh_token and other details. Thanks. :)