I understand why the oAuth callback mechanism was disabled because of the recent vulnerability.
But a better approach, that maintains security, and avoids the vulnerability is to lock down the return URL that the user is redirected to after authrizing their token. Twitter now redirects to a static URL we specifiy on the application page, which is fine. The problem is when our apps have different sign in flows. Sometimes we will register a user via Twitter, other times, an existing user wants to add a Twitter function to their account, for example. I propose that instead of locking down the return URL to a single one, we instead set base domains. This way I can specify any return URL as the callback, but it will only be valid and used IF the domain in that URL matches the domain on the applications account. The main problem I have is that I have the same application run on different domains, such as example.com, example.de, example.fr etc. Redirecting users back to example.com all the time breaks the flow, as the user is actually using the French version as example.fr. Creating multiple applications can be a headache.
