Hi Sonia,
The 'Retrieve OAuth 2.0 Token' assertion is included with MAG. It looks you are using the implicit grant, in this case the hash fragment is not directly accessible to the server. You would need to use client side scripting, ie: JavaScript to extract this.
Retrieve OAuth 2.0 Token Assertion sample policy
Alternatively, there is a sample here demonstrating how to replace the hash fragment with a query parameter which will be accessible directly by the Gateway via ${request.http.parameter.access_token}.
Sample Policy for converting a URL hash fragment into a query parameter
Regards,
Joe