You know, it's right there in the OAuth RFC. http://tools.ietf.org/html/rfc5849#section-4.6
4.6. Secrecy of the Client Credentials In many cases, the client application will be under the control of potentially untrusted parties. For example, if the client is a desktop application with freely available source code or an executable binary, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the client credentials. Accordingly, servers should not use the client credentials alone to verify the identity of the client.
