Clarification on oAuth implementation

We are looking to implement oAuth 1.0a into our LRS and I would like for someone to verify my understanding of the spec.

The table outlining the various scenarios for oAuth support here seem to imply both 3 legged (Known user) and 2 legged (Unknown user) oAuth implementations. Is this correct? If so, the LRS only needs to support one of these methods to be compliant?
The No Application/Known user is really just Basic auth, and has no relation to oAuth.
The User Unknown/Application Is Registered section is confusing with the "OAuth token steps are not invoked". Can I get more clarification on what this means?

The endpoints outlined here appear to be specific for a 3 legged implementation. Can someone clarify my interpretations of these endpoints?

The endpoint /OAuth/initiate provides an application token (even though it says temporary token) for a specific consumer key.
Once you obtain your application token, call /OAuth/authorize with your scopes as query parameters, and an authorization header outlining the user credentials to generate a new authorization token. This new token should be persisted in some fashion as it contains the relationship between this user, token and their scopes.
To obtain a token to access the LRS, call /OAuth/token with an authorization header to generate the token (that probably has some sort of expiration on it) with the authorization token from the previous step (/OAuth/authorize). This token also needs to be persisted for the protected resource so it can verify the signature.
The LRS (protected resources) verifies the signature from the request using the token information that was persisted in previous request (/OAuth/token)

Thanks in advance!

adlnet / xAPI-Spec