Hi marcc, actually it is done correctly and that is how OAuth works. In order to get the user access token the user has to first login to authenticate they are the rightful owner of the account and then grant access to the application. In our case, we could have sent the user to Netflix to login or we could have asked for the credentials on Qpicker and sent the details to Netflix who handles the authentication/access control.
http://josephsmarr.com/2008/10/01/using-netflixs-new-api-a-s...