I think you are misunderstanding how the OAuth handshake works. The user is redirected to your EBS after they sign in to Twitch, and this redirect provides you with the code parameter so you can process the login.
My OAuth flow looks like this:
- User visits config page, clicks oauth link
- Twitch OAuth pops up in a new window, asking the streamer to login with Twitch
- When they click ok, the popup window makes a GET to my EBS with the OAuth code
- My EBS validates the code, stores the access tokens, then renders a blank page with some Javascript that calls back to the config page with success or fail.
- The config page closes the popup window, then shows an error for failures, or show the next configuration stage on success.
In your first example, your EBS already has the tokens at stage 2, so it doesn’t make any sense to send them back to the config, and then back again to the EBS. Just send success/fail back to your config page, and have the state transition based on that.
Hope that helps.