Yes, the authCallback? url is a dummy/placeholder. This was setup as part of configuring my endpoint when I created/configured the app in github.com. There may be restrictions on what is a valid callback url, many oauth implementations will only allow redirects to https://
Joe has discussed some of the security issues in the comments thread of the pr.
Personally, I am also not crazy about the custom-scheme because it is involving the operating system and potentially needlessly dumping the application intent and possibly even losing state in the process. The entire round trip nature of the messaging is complex, plus there is no guarantee that other apps on the device do not use the same scheme meaning all kinds of madness.