I see, this is one of those cases where you can make a trade off isn't it ?
You can do on-device no-server authentication direct to an API, but this exposes the secrets to reverse engineering. Or you can choose to mediate everything via your own server, which mitigates that issue but drives up complexity and (ongoing) costs.
In the specific case of FaceBook, this is the offline access scope - you grab the token once and then store it against the user on the server, and the client app then asks you server for everything rather than FaceBook. That on-device client app doesn't need to see any part of the initial 'allow access' web browser flow, so again the secret can be kept on the server.
Unless I'm misreading. Tom
