This is the second step in the three step Redirection-Based Authorization defined in OAuth.
2. The resource owner authorizes the server to grant the client's access request (identified by the temporary credentials). -- RFC 5849, Section 2
This procedure returns a URI. It is up to you to redirect the user to this URI and handle the subsequent redirect back to a URI that you control once the user has granted the authorization.
If you are speaking OAuth 1.0 then you may supply callback-url at this stage, otherwise you must not.