Folks, I found that OAuth feature (Remote Access) is now available for all orgs at last, but I'm doubting there's a fatal defect.

When reading help page of Remote Access feature (https://na7.salesforce.com/help/doc/en/remoteaccess_authenticate.htm) and referring OAuth core 1.0A spec (http://oauth.net/core/1.0a), I found current salesforce's behaviour is not fullfilling the specification.

In the help page it is described that it requires oauth_consumer_key parameter in Authorization redirect phase (see "Authorizing the User" section), but the 1.0A spec is not (see 6.2.1). It is not only a documentation bug, but it actually raises error when no oauth_consumer_key is passed. 

I'm not sure why salesforce requires consumer key other than oauth_token. Consumer key is considered not to be exposed to the users, so not used as a parameter during the user redirection.

I'm writing code that connects to salesforce using OAuth library on python, but not successful mainly because this spec violation.