[ForHackernews]

The official recommendations for native apps are here: https://tools.ietf.org/html/draft-ietf-oauth-native-apps-01

They suggest using PKCE (challenge-repsonse) https://tools.ietf.org/html/rfc7636 to authenticate clients that can't be trusted with a client secret.