I guess I didn't really investigate packages for Dart as I already had the C# code so I just ported. The reason I hand-rolled it for C# was mentioned briefly in the C# post; all the OAuth libraries where HUGE (like DotNetOpenAuth pulled in 10+ NuGet packages). Not only did these seem like overkill for what I wanted to do, they also seemed like massive liabilities.
I feel like I spend half of my life at work investigating or working around bugs in dependencies added by past developers, patching abandoned libraries, fixing conflicting dependencies dependencies version constraints or just working around incompatibilities between their goals and ours (both of which may have changed since the dependencies were added).
I also think we generally don't think hard enough before taking dependencies on from complete strangers. With Dart this isn't quite so bad because the source is all there and you can scan through it but in C# people just pull binary dependencies and assume they're safe. I don't think this is good practice and I think it's only a matter of time before some relatively popular package ends up with obfuscated malware in the binary in the package (but not the repo) and everyone will get upset :-(
--
I just actually took a look at the Dart twitter pub package. It has a bunch of TODOs on the homepage and the pubspec shows a dependency on a Git repo by the same author for OAuth using the "random-secure" branch. Not only is this repo full of stuff I don't need (like Shelf extensions to do OAuth flow I don't want) but the Git dependency means I have no control over the version of that that gets pulled (and the name of the branch doesn't fill me with confidence). Sure, if I used it it would probably work; but for the little code it took I'd rather eliminate a huge set of possible future complications of that author starts making changes in that Git repo.
I know some will refer to this as NIH and I'm ok with that. I'd rather spend a little more time now and save time later, and in my experience taking random deps (esp. from small unknown devs) always results in pain down the line. I don't claim this is the best/correct way, it's just what feels best to me based on my experiences :-)
I just noticed the OAuth package on pub is the same guy, so I wonder whether the published twitter package uses that isntead of the git repo mentioned in the pubspec on GitHub. That would be slightly better.
That said, with OAuth so common and used by Google a lot (and such a risk to get wrong) I'm surprised there isn't a Dart Team-owned package for this. I'd be much more confident using something from a company with a reputation to protect and a good dev/QA process.
(Well, I can understand the twitter package, because it requires a bit of tweaking, but not too much.)