Play Framework appending #_=_ to redirect after Facebook auth via OAuth2?

Question

I'm doing a simple redirect after calling OAuth2::retrieveAccessToken() with Play Framework. I'm having funny characters appended to the URL that I never put there, so the end result looks as follows:

http://localhost:9000/#_=_

Where on earth does the #_=_ come from? Here's my route definition from the routes file:

GET / Application.index

Here's the code snippet of the controller dealing with the Facebook authentication:

public static void facebookConnect() {
    OAuth2 facebook = new OAuth2(
        "https://graph.facebook.com/oauth/authorize",
        "https://graph.facebook.com/oauth/access_token",
        "2#############6",
        "c##############################2"
    );

    if(OAuth2.isCodeResponse()) {
        OAuth2.Response oauthResponse = facebook.retrieveAccessToken(facebookAuthUrl());
        if(oauthResponse.error == null) {
            //... Somewhere here, something is causing #_=_ to be appended to the URL?
            Application.index();
        }
    }
    facebook.retrieveVerificationCode(facebookAuthUrl());
}

EDIT:

According to this page, Facebook changed their API recently to include the = if request_uri is empty, the problem is...my request_uri has been explicitly set?

Answer 1

This was added after a security update.

From the Facebook developer blog:

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.

Answer 2

Maybe these characters come from the facebook callback. I was getting a FB callback like

localhost:9000?someparams#code=verylongcodefromfacebook

I could get rid of the # just by sanitizing the params before requesting the access token.