Think of it this way: web browsers are ALLOWING oauth in the first place. Oauth only works when, when a user has to login, they do so in the oauth provider independently - so you need some sort of common dependency that works across all platforms, can execute code (JavaScript). Web browser are pretty much the only cooj denominator - unless you want each device (OS) manufacturer to have to provide their own auth which as a user is a worse solution.