Yes, the authCallback?

Yeah, that makes sense security wise. I also read Joe’s comments; his most recent one adds some clarity.

What I’m still missing is what to use for a redirect_uri when there is no server involved. Using a dummy URL seems like a security risk, too, in that now (in your example) is able to intercept the response.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.