OAuth 2.0 missing auth flow;

1. Application requests tokens (tokenA & tokenB) from OAuth server
2. Application launches browser with link containing tokenB to ask user for OAuth permissions
3. Application initiates a request to the OAuth for confirmation or declined of authentication containing tokenA (long-polling)

This avoids the requirement of a callback URL, allowing non-browser apps to authenticate users without prior knowledge of username, password or other authentication key.

  Commandline application `app`
  
  app     <--> server     app initiates authentication flow
  browser  --> server     app opens browser or presents URL so that user can log in and give permission
  app     <--> server     app initiates long-polling requests waiting for user to give permission, and for the server to send back data

For an example of how this can be implemented in practice, see https://trakt.tv/activate User is asked to enter tokenB into the trakt.tv authentication page by the TV app