How to prevent ASP.NET Identity external login from adding a # to end of url?

Question

Normally it wouldn't be a big deal, but I'm building an AngularJS app, and the # added by ASP.NET's Identity external login (OWIN based) is wreaking havoc on the angularjs app.

You can see it even on a default new C# ASP.NET MVC site with Google uncommented in Startup.Auth.cs.

A # gets added to the end of the url when a user is logged in and redirected. I've tried handling this redirection on my own, but to no avail... a hash tag always gets added.

Any ideas? Thanks in advance.

Update

The default solution uses a form to initiate the external login, like so:

using (Html.BeginForm(action, "Account", new { ReturnUrl = returnUrl }))
{
    @Html.AntiForgeryToken()
    <div id="socialLoginList">
        <p>
        @foreach (AuthenticationDescription p in loginProviders)
        {
            <button type="submit" class="btn btn-default" id="@p.AuthenticationType" name="provider" value="@p.AuthenticationType" title="Log in using your @p.Caption account">@p.AuthenticationType</button>
        }
        </p>
    </div>
}

I don't see anything in that adding a # to request.

If you look at the Login action, you'll see it calls its own private method to handle redirect:

private ActionResult RedirectToLocal(string returnUrl) {
    if (Url.IsLocalUrl(returnUrl)) {
        return Redirect(returnUrl);
    }
    else {
        return RedirectToAction("Index", "Home");
    }
}

Even when return RedirectToAction("Index", "Home"); is hit it has a # at the end of the url.

I've tried hard coding the return like so: return Redirect("/home/index"); but that also still has the # at the end.

Update 2 Looks like it only happens in Chrome.

Answer 1

The short answer

You cannot as far as I know.

I've had the exact same issue (though in all browsers, not just Chrome). When I investigated I found the hash is hard coded in the OAuthAuthorizationServerHandler.ApplyResponseGrantAsync method, with the following code

var appender = new Appender(location, '#');
appender
    .Append(Constants.Parameters.AccessToken, accessToken)
    .Append(Constants.Parameters.TokenType, Constants.TokenTypes.Bearer);

The longer answer

Campaign to to get it changed, please vote up the issue I've raised: Provide a mechanism to choose the hash '#' separator when redirecting after an external login.

The workaround

I've worked around the issue by choosing a landing page that isn't an AngularJS app which converts the # to a Hashbang #!. Here is the page I've used:

<!DOCTYPE html>
<html lang="en">
<head>
    <script>window.location.replace('/#!/' + window.location.hash);</script>
    <meta charset="utf-8">
    <title>Please wait.</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>Please wait.</body>
</html>

Hope this helps.