Not having the keys stored in the source code actually is actually bad a practice in the accoding to the most agile setup (continuous deployment).

But, by what you say, you want to have two groups: those who can make the code, and those who can deploy it. Those who can deploy it have access to the keys, and, in the most secure setting, must NOT use the code of the application. You can make the oauth still work by having those who code autenticate to a system that proxies all the authorization part, and authenticates de application. Such keys (app -> auth middle man) can be in repository, as they are internal.

Any other setup: authentication library created by those who can deploy, encrypted keys, anything else can be broken by those who make the code. If you don’t trust them enough to have access to the keys, you probably don’t trust them enough not to try to jailbreak the keys.

The resulting deployment scheme is much more complicated, and, therefore much more prone to erros. But it is, otherwise, more secure. You still have to trust someone, like those who install the operating system, the proxy’s system middleware, those who maintain the proxy’s machine(s), those who can long on it, and so on. If the groupo of people with access to the keys is small enough, and you trust them, then you’ve gained security. Otherwise, you lost security, ability to respond to change, and wasted a lot of people’s time.

Unfortunately, all authorization schemes require you to trust someone. No way around it. This is valid for any application/framework/authorization scheme, not only sinatra, rails, oauth, java, rsa signatures, elliptic curves, and so on.