In the "Registering an App" subsection of the REST API's OAuth section (https://dev.twitter.com/docs/auth/oauth#registering-an-app), it mentions that:
"A best practice is to always send us an oauth_callback_url on every request token step, explicitly declaring what you want the callback to be. In the case where you want to invoke what's called the PIN/out-of-band flow, you would supply an oauth_callback_url of "oob". See this section for more on the PIN-code flow."
The "this section" link (https://dev.twitter.com/docs/auth/oauth#oob) points to an OOB section, though this seems to either not exist or have been moved.

Replies
It looks like this may be the intended URL: https://dev.twitter.com/docs/auth#oob
You're right Michael that the page doesn't exist but it certainly should. Here's a brief overview you can reference for using OOB authentication:
oauth_callback=oob should ONLY be passed to the request_token step of OAuth -- it's invalid to send it to any other end points of OAuth (as of OAuth 1.0A) -- it's not accepted on the authenticate or authorize pages because there's no way to validate the application set the callback (versus a malicious man in the middle).
Brief instructions:
1. set your app to desktop mode (by insuring you have no placeholder oauth_callback URL)
2. issue a request for a request token, including oauth_callback=oob as one of your parameters
3. once you have the request token, build your link to the authorize page, including only the oauth_token parameter (corresponding to the request token)
4. the user will be shown the oauth_verifier / PIN code.
5. ask your user to enter the PIN code, collect and store it temporarily in your app
6. submit a request for access token, including the PIN code the user gave you as the value for oauth_verifier
In non-out of band flow, the only difference here is that the value for oauth_callback is an explicit URL instead and the oauth_verifier is given to the application on the callback phase rather than being collected by the end-user.
You can keep your application marked as a client mode and still use oauth_callback=oob, but you can't use dynamic callback URIs with mode=desktop. Even if you've stored a default callback URL or implicitly want to do OOB OAuth, I recommend to always always always send an explicit oauth_callback on the request token step and never rely on any implicit value that may be stored in your client record.
Excellent, thanks Taylor!