oAuth2 callbacks should have a state variable within them to verify the callback.
However, when we click the "Add to Glip" button no state is passed. The callback URL looks like this:
Another problem is that as the callback does not occur in user's browser, we lost all kind of cookies/sessions. We have no idea who is the user clicking the "Add to Glip" button.