-
Step One: Third party app developer (hereafter "the app") registers an application with the service provider (called here and afterwards "the service provider"), like Twitter or Gimme Bar. The app receives an API key, where it is made explicitly clear that storing username/password combinations is not necessary and is a violation of the terms of service for the API.
-
Step Two: Over SSL/TLS, the app exchanges a username/password combination given to them by the end user, and provides it to the service provider, along with their API key in exchange for an access token.
####But wait, isn't that insecure? Why is the user giving you their password? oAuth prevents this!!!!
If the app is a malicious mobile or desktop application, the app can very easily steal your password if desired - the app can redirect you to a "web browser", which it controls, and steal your username and password if the app is a dick. This is only one avenue of several a malicious app