In particular, the most common mode of using OAuth depends on some browser infrastructure. Is one of the browser options native (or roughly so) to Plan 9 up to the task? How reliably? Is the structure of the OAuth landing page standardized?
The first step would be to teach factotum to speak the part of the protocol that happens after the final hash is acquired. It would be inconvienent, but users could get that hash through the browser manually themselve, then hand it to factotum.
The next step would probably be an extension/replacement for auth/fgui (see factotum(4)) which would look for OAuth requests from factotum and handle launching a browser (or redirecting an existing one via the plumber) and handing the results back to factotum.
While it isn't OAuth, flickrfs has support for Flickr's pre-OAuth authentication method, which has some similarities. Interested students might look to it for reference or inspiration, particularly for the first half of the problem (as described above).