var separator;

    // TODO check that we appropriately use '#' for implicit and '?' for code
    // (server-side) in an OAuth2 backwards-compatible way
    if ('token' === scope.appQuery.response_type) {
      separator = '#';
    }
    else if ('code' === scope.appQuery.response_type) {
      separator = '?';
    }
    else {
      separator = '#';
    }

    if (scope.pendingScope.length && !opts.allow) {
      redirectUri += separator + Oauth3.querystringify({
        error: 'access_denied'
        , error_description: 'None of the permissions were accepted'
        , error_uri: 'https://oauth3.org/docs/errors#access_denied'
        , state: scope.appQuery.state
      });
      $window.location.href = redirectUri;
      return;
    }