On below contents
[ When SmartThings receives an access token (obtained in an OAuth integration) from a third party, it sends a callback authentication code as seen below. The third party can use this code to request callback access tokens.]
(1) Who is ‘third party’?
(2) When ‘third party’ send access token to ‘SmartThings’?
(3) Not need return for this interactionType(‘grantCallbackAccess’)?
If you are developing an OAuth server to control the authentication, that server (your cloud) is the Third-party (a cloud external to SmartThings).
When the user login into your OAuth server, you need to return an access token code.
Check this sample where an OAuth server is included for testing purposes and you will be able to check how the access token is generated randomly (You can set your own mechanism).
3. The grantCallbackAccess is not needed unless you want to send updates from your cloud to SmartThings, for example, when the device status is changed manually and not from the ST mobile app.
Check more details about its configuration in the Node JS Schema Connector SDK repository and let me know if you have any doubts.