OAuth 2.0 for desktop and mobile applications

The OAuth wiki lists numerous options you can use, all of which have downsides. The simplest involves you running a web app that can display the token to the user, and then the user copies the token (and maybe the refresh token) into your desktop app.

If you have plenty of time then you could investigate registering a custom URI with the desktop operating system, and then use that as the redirect_uri to automatically transfer back to your app from the browser. This has the best user experience.

A malicious app can easily pretend to be your desktop app in these scenarios, and security relies on your users not installing malicious apps.