[SalesForce] What callback URL to use to redirect back to VF page from External system

When setting up oAuth on an external system you need to provide a Callback URI for the external oAuth to redirect to. This URI must be static and passed in as a parameter to the oAuth call.

When developing a managed package one cannot modify the callback based on the pod for each customer. Previously I used ap1 and was incorrect in thinking it meant "Access Point" years ago. I never really went and looked but now I know it is Asia Pacific on my what a dumb move on my part….

So, If I am using Visualforce to start the oAuth process and then handle the redirect to make the token request, what URL should I put in the external system so it always resolves to the correct pod and returns to the VF page without requiring the user to login (session is still valid for the browser).

External System
https://xxx.com/authorize

oAuth Callback URL is defined and must be static. i.e. (pod is just an example)

https://ap1.salesforce.com/apex/authHandler

The callback is the URL the code is sent back to once the user approves the access

Salesforce

VF Page (authHandler) controls the entire process.

1. On load it redirect to the external system.
2. When redirected to the callback URL defined in the external system the VF page sees the code in the parameters and make an HTTPRequest to get the access and refresh tokens

Question

1. What URL do I use for the callback that will resolve and get back to the VF page without being redirected to login.salesforce.com?ec=xxxxx and requiring login. The session is still valid so it does not ask for a password.

If the above is not possible I guess I could create a site page on our business org to handle the redirects and serve as the static URL