I'm developing a desktop MFC application which uses TradeStation WebAPI (http://tradestation.github.io/webapi-docs/). The WebAPI provides "Authorization Code Grant Type" (http://tradestation.github.io/webapi-docs/en/getting-started/security-overview/) which is the following: 1) The client application will route the end-user to our MFA (multi-factor authentication) login page web page. 2) Upon successful authentication; The user agent(browser) will be redirected to the URL provided and include an Authorization Code in the query string. 3) Some other stuff...

The problem is I don't know how to obtain the code from the step 2. I've looked some examples and found only two approaches.

1. MFC application implements an embedded browser (rather than using the default system browser) derived from WebBrowser ActiveX control and implements BeforeNavigate event handler to get the code on redirection. Drawback - the embedded browser implementation is too heavy to obtain the only code, moreover it may be rejected by users who don't trust embedded browsers.
2. The application uses the default system browser which is redirected to a web site. The web site accepts the code and then passes it to the application. Drawback - a web site required.

Both have drawbacks, and I'm wondering if there is other approaches to implement "Authorization Code grant type" in my application.

Both approaches are valid, so you should go with the one that provides the best user experience. You can see more on implementing the embedded browser into your MFC application here http://msdn.microsoft.com/en-us/library/aa752046%28VS.85%29.aspx. You cannot remove the website requirement from the TradeStation WebAPI as it is designed primarily to service web and mobile applications.