What you describe would work in theory, but I can think of two problems right off.
The first one is that I don’t have my coldbox folder web-accessible and I assume many others don’t as well. That would make it difficult to access the files necessary to generate the oAuth access tokens.
The second one is that I’m pretty certain we wouldn’t want to share the developer key and developer secret. One person who abused the account would screw everyone when the shared app was taken down. Also, you’re never supposed to share your developer secret, but that would require is to publicly advertise it. I think there’s also a restriction on the call-back URL where it has to be on the same domain as the domain that the app is registered under.