I was barking up the wrong tree. Turns out I don't need authentication for the requests my desktop application makes, only need to pass the client_id.
There's a limit per hour on the number of requests per client_id; for applications with multiple users, it makes much more sense to authenticate so that limit shifts to per-user (via OAuth access token), but for my single-user single-install application that's not necessary.