I use OAuth for an application written in PHP, and as such, there's no possible way to trust the client/secret, given that the source is not obfuscated in any way. This application talks to my own server, and the OAuth flow is basically just a way to avoid storing username/password combinations. The client key/secret have to be treated as permanently compromised, so the only thing I use those for is version usage statistics.
The question is, given that your key/secret will be compromised, is there any point in even having it in the OAuth flow?
The question is, given that your key/secret will be compromised, is there any point in even having it in the OAuth flow?