The current web interface OAuth support uses the normal authorization flow, but that only allows for a single authorization at a time (auth codes cached by UID). I think we should just support the device authorization flow (QR code and link) which will better work...