Lets stick with Facebook for this example.
I am asuming that FB uses it's own public API's (as well as internal ones, that only they can use), and as they are using OAuth 2, would it be safe to assume they have "special client registrations" with permission to use the Resource Owner Password Credential Grant?
As you may know, when logging into Facebook from their own official apps, they don't pop open a browser, asking you if you allow Facebook to use Facebook, so if they are using OAuth themselves, how are they doing this securely?
We've all read that Twitter got their consumer keys leaked, how are Facebook avoiding this?
I am no security expert, nor do I have experience in reverse engineering, I am just in a situation where I am to implement an OAuth authorization server myself, and we wish to expose our API's to 3rd parties, but as we ourselves have "official native apps", we'd like to use the Resource Owner Password Credential grant, for the best user experience.
As per the OAuth 2 spec, native apps should not include client secrets, but how does that make things better? The way I see it, if you don't include the secret, and your client ID is extracted and used for password grants, the only way you can revoke it is by completely removing the client ID from your authorization server.
Am I missing something obvious here? How do "the big guys" do this?
The big difference is, that the official Facebook app knows your username and password and therefore don't need to pop a browser, because they can directly authenticate.
As a third party app, I cannot (ok, I could, but for privacy reasons I won't) ask for the users email and password. As official app, you can do this and thus directly perform a login (this may happen through an undocumented REST endpoint)