A verifier code should be created if callback isn't provided
The OAuth spec states that:
"If the Consumer did not provide a callback URL, the Service Provider SHOULD display the value of the verification code, and instruct the User to manually inform the Consumer that authorization is completed. If the Service Provider knows a Consumer to be running on a mobile device or set-top box, the Service Provider SHOULD ensure that the verifier value is suitable for manual entry."
With current implementation the verifier code is generated only if callback was provided and verified. So it doesn't allow to display the verifier value if the callback is missing.
The attached patch fixes that.