I personally solved this possible issue by using a long search parameter on the redirect url to hide the hash part of the URI on load. Then I have a Javascript part which is loaded “onload” which looks like this:
// Clear location.hash for security purposes (So a user doesn't copy the link and sends their token to another user)
if(window.location.hash.length > 0) window.location.hash = '';
if(window.location.search.length > 0) {
// Update URL
let url = new URL(window.location);
url.search = '';
window.history.pushState({}, '', url);
}
Basically first removing the hash part from the URI and then rewriting it to remove the long search parameter part.