I am using the meanjs stack and seeing the following callback URL when using Chrome and G+ to auth:

https://accounts.google.com/o/oauth2/approval?as=223724a429788812&hl=en&pageId=none&xsrfsign=ABDEF4gAAAAAV8888ga8dMABcuJAxLy9999qrGXRtXi3

-> 302: Temporary redirect to:

http://localhost:3000/auth/google/callback?code=4/gGM83kTe6c9999999925n6l0tuv9P0C2ZGg8G4Zk_Jc.UlLC0fzyg_QbABD6UAPFm0H6mCCCmgI#

Can anyone explain or point to docs that describe where the ending # comes from?

When I use Firefox I don't see the # being appended.

TIA

The ending # doesn't really matter, it's just a fragment identifier and it won't affect anything. For Google OAuth 2.0, in a client-side application, it's used to send error messages, but it's empty because there is no error.

In addition, you may want to be careful about posting your authorization code publicly...