I'm new to Oauth and was just wondering that if you are using a web view and if the user logs in then the app can just inject some javascript to monitor whats entered in the login page. Thus defeating the purpose of using Oauth. To prevent this shouldn't you open the URL in safari, have the user log in there, and then redirect back to the app afterwards? That way the app can't steal the users credentials. This is more of an issue for framework developers I suppose. However if this is designed for use in a highly trusted environment why not just use the password flow instead of authorisation code flow?