The solution to this has been built into the spec since day one. The "correct" approach is to send the user to the website of the OAuth provider, using the default "http" handler on the device (i.e., the user's browser). The OAuth provider should then display a mobile-friendly sign-in / authorise page within the browser so that the user can authorise the application's request. Once they've clicked the authorise button, the OAuth provider should redirect back to the app using a custom protocol handler (e.g., x-templerun://authorize) that the app can register on the device. Once the app receives the redirect, it's able to obtain the token for future requests. It's a shame that Twitter et. al. haven't done a better job documenting this (or maybe they have?), because it really is supported in the design of the protocol. Native-app clients (desktop originally, not on the phone, since iPhone/Android apps didn't yet exist) were one of the motivating use-cases for OAuth.