OAuth 2.0 missing auth flow;
- Application requests tokens (tokenA & tokenB) from OAuth server
- Application launches browser with link containing tokenB to ask user for OAuth permissions
- Application initiates a request to the OAuth for confirmation or declined of authentication containing tokenA (long-polling)
This avoids the requirement of a callback URL, allowing non-browser apps to authenticate users without prior knowledge of username, password or other authentication key.
Commandline application `app` app <--> server app initiates authentication flow browser --> server app opens browser or presents URL so that user can log in and give permission app <--> server app initiates long-polling requests waiting for user to give permission, and for the server to send back data
For an example of how this can be implemented in practice, see https://trakt.tv/activate User is asked to enter tokenB into the trakt.tv authentication page by the TV app
