I'm working on a developer platform which needs to generate App ID when developer register their application(s) to use our platform, from sites like FB, dropbox etc, the common steps are developer specify app display name, some permission configuration for the new app, and then it will generate the unique App ID plus App secret.
My question is how do they implement it, like the algorithm, mechanism, best practice and so on? Any help and details will be greatly appreciated!
App IDs are usually big numbers or a sequence of randomly-generated alphanumerical characters. For example, Twitter uses a sequence of 22 alphanumerical characters. App IDs are not secret, as you are often required to put them in client code to make API calls. You can generate one using your language of choice. See this one-liner in Python for example:
import random, string
app_id = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(20)) # 20 being the size of the App ID you're wanting
Secret keys, on the other hand, are unique identifiers or very long strings that can't be guessed. They are not public and should never, ever, be available to the public (in JavaScript code for example). This does not mean that you should use a complicated algorithm to generate them. A UUID (or GUID depending on how you like to call that) is perfectly acceptable here, but for added security you might want to store them securely in your database (e.g. encrypted), in case it gets dumped by a bad guy. Again, in Python, it all comes down to these two lines:
import uuid
secret_key = uuid.uuid1()
Secret keys are used in private dialogs between your server and your developer's code, so you should use them as a proof that your developer knows his secret key along with his App ID. For example, Twitter requires that all API requests are signed with a combination of the developer's secret key, plus a temporary challenge. The HMAC-SHA1 signature computed in the developer's code acts as a proof that he knows both his secret key, and the previous secret challenge that was sent by Twitter API.
So the complicated part is not generating App IDs or secret keys: it's writing secure code to ensure that you're talking with the right developer :) To get some inspiration, have a look (you seem to have already started to do so) at well-known APIs like Facebook, Twitter, LinkedIn or Google+ to see how the "big ones" deal with that kind of problem.