I know this is a bit of an old question, but I think a lot of the questions here have been addressed in different areas. In particular, I think the OAuth 2.0 Protocol has been considering a lot of these questions; I don't feel authoritative enough to provide a summary of their answers here, but the linked site has a lot of differing use cases called out explicitly, which seems very useful for this question, even if the full OAuth 2.0 isn't really necessary here.
