I'm trying to support OAuth2 login through Python Flask, so I want to handle a URL that looks like this:

    http://myserver/loggedIn#accessToken=thisIsReallyImportant

but when I handle the callback it just seems to drop all the characters after the # in the URL, which contains the important Oauth access token. How do I get this info? It's not included in request.url

ETA: I can retrieve it in client-side javascript using window.location in Javascript, but then I'd have to pass it back to the server, which feels a little hokey but maybe Oauth2 is meant to be done that way?

From the RFC:

Fragment identifiers have a special role in information retrieval systems as the primary form of client-side indirect referencing [...] the fragment identifier is not used in the scheme-specific processing of a URI; instead, the fragment identifier is separated from the rest of the URI prior to a dereference

As such, flask drops everything after the '#'. If you want to forward these to the server, you'll have to extract them on the client and pass them to the server via a query parameter or part of the URL path.

You are using the incorrect OAuth 2 grant type (implicit grant) for what you want to do. Implicit grant supplies the token in the fragment as you observed to be used by a javascript client. There is another type of grant, authorization code, which is similar but supplies it in the URI query which you can access from Flask.

You can tell the two apart from the the redirect URI you create for authorization, if it has response_code=code you are on the right track. You currently use response_code=token.

If you are using Facebook look at https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/

For Google look at https://developers.google.com/accounts/docs/OAuth2WebServer

You might also be interested in https://flask-oauthlib.readthedocs.org/en/latest/ which can help you with OAuth.