I discovered that you can access the mappings in an app without going through the Oauth process. I was having a hard time using the Oauth with my app, but discovered you can use the installed app ID # (that is found in the logs on the ide) to access the mappings. It does require you to authenticate, but not by going through the ST interface. Check out the php file https://github.com/baldeagle072/smartthings-the_one_thermostat/blob/master/thermostat.php for more info.
IMHO, the purpose of OAuth is to generate access token that can be used to authenticate user without transmitting her username/password across the net. If access token is compromised, then the damage is limited to just a single entity (a SmartApp in this case) and the token can be revoked. If username/password is compromised, you’re in a much bigger doo-doo.