OAuth 2.0 missing auth flow;

  - Application requests tokens (tokenA & tokenB) from OAuth server
  - Application launches browser with link containing tokenB to ask user for OAuth permissions
  - Application initiates a request to the OAuth for confirmation or declined of authentication containing tokenA (long-polling)

This avoids the requirement of a callback URL, allowing non-browser apps to authenticate users without prior knowledge of username, password or other authentication key.

    Commandline application `app`
    
    app     <--> server     app initiates authentication flow
    browser  --> server     app opens browser or presents URL so that user can log in and give permission
    app     <--> server     app initiates long-polling requests waiting for user to give permission, and for the server to send back data

For an example of how this can be implemented in practice, see https://trakt.tv/activate
User is asked to enter tokenB into the trakt.tv authentication page by the TV app