Out of all of these, I've always found the HMAC hashed request in OAuth 1 to make the most sense from a basic security point of view. The only concern being token refreshes.