Acquiring the 'OAuth token secret' for authorized REST api call


While trying to calculate the signature for an authorized request on the REST api we wonder where do we get the ‘OAuth token secret’ from.

Our implementation is based on the documentation listed as Authorizing a request.

Our client app is a mobile native application, allowing the end user to login using his twitter account.
The client app then pass the access token acquired during the login process to our server.
The server implementation is then calling the twitter REST API (on behalf of the end user) in order to get a list of users that the end user is following.

Does the value of ‘OAuth token secret’ available during the login process and if so - can it be passed to the server?

Is this a proper flow?
The level of integration does seem to be a little too complicated for such a simple API call.

Thanks in advance