Like this (but remember that the roles of your application and Discourse are swapped):
You can’t, Discourse will always send the user back here:
From there, you application can redirect the user wherever you want.
No, it’s a custom protocol.
Since Discourse redirects to a fixed URL to complete authentication, there’s no sanitization going on