In the app settings page, under Application Callback URL, the explanation reads:
When a merchant installs the app, or clicks on the app banner from their store admin, we will redirect them to this URL.
So this is multi-purpose URL, how do I distinguish the scenario? Is it by checking for the 'code' url parameter? If it exists it means an oauth callback, and if it's not there it means app banner click from an existing shop admin area?
The install and login path via oauth are the same. If you install the app the first time the Shop shouldn't be there (or should be flagged as deactivated) and you'll know that the shop is new. Otherwise you'll have a record of them having logged in and you just setup their session details appropriately as you would when they sign up. You just don't do any setup work that you may have to do (create webhooks, etc.)
Mmm... if I am to follow this logic, then I also need to implement a webhook for app/uninstalled. Otherwise, if a shop uninstalls the app, then reinstalls it, and I in my server treat a known shop url as an indication for active shop, then I would miss the new access_token and no api method will work for that shop.
During login you can always grab the access_token. You can do this by not storing anything other than the token in the session and seeing how your app can still make API calls (for any session based actions). Then try this in an incognito window, and you'll see that this is still the case.
Anyway, yes, if you want to know whether an app has been removed you'll need to register for the app/uninstalled webhook.