When the callback from the authorize returns to the callback URL (e.g. the client app), currently it only returns the
oauth_token. As per http://tools.ietf.org/html/rfc5849#section-2.2 this callback also requires
oauth_verifier. (I recently ran into a case where a client was expecting to see this since the spec requires it and failed to callback, in which authentication could not happen).