After searching for several days, I found this mail archive on google:
It seems the user cannot enter the wrong PIN even once, if the user entered the wrong PIN the application should get new authorize URL again and users should go to the new authorize URL with new oauth_token.
Can this flow changed? i have to show users the QR Code on a device (not phone) to the auth URL and they will scan with their mobile phone to reach the PIN page. If they are entered the wrong PIN, they should rescan the “new” QR Code again and get the new PIN.
I think it will be better if they just can try again to enter the right PIN after entering the wrong PIN
