callback_url doesn't seem to matter

[wheattcom]

I'm not sure if this is a bug but I'm brining it to attention. I've worked my way through about 5 omni auth providers so far, hooking up my app, some allow multiple callback urls, some only one (github!). Twitter seems to not even care because I can authenticate locally even if my callback url is configured to be the live url. Its convenient, but is it secure, and where was this decision made, up at twitter or in the gem?

[bodrovis]

I think there is a setting "Callback URL Locked" at apps.twitter.com that controls it, though it needs to be tested