OAuth 2.0 requires an exact callback URL to be registered. Users sometimes put in something like https://mysite.com and we tend to reject those with a message like "OAuth 2.0 grants only work with exact callback URLs. This grant is unlikely to work." That's not a great use of everyone's time (and in some rare cases maybe the user did want that to be an exact URL); it would be better to show a warning up ahead.
Whenever the "OAuth callback URL" field of the OAuth consumer creation form is filled with an URL that has no path, query or fragment component, and the protocol is OAuth 2.0, we should show a warning saying something like "OAuth 2.0 grants only work with exact callback URLs. Are you sure you want to use this URL?" The "Redirect URI" field in WikimediaApiPortalOAuth should have similar treatment.
See also: