Ι'm working on the backend of a mobile app, building a RESTful API using ASP.NET MVC 4 Web Api. The app will run on iOS and Android. My users will be allowed to login only with their facebook account, and only when logged in, they will be able to use the whole functionality.

I don't have much experience with mobile apps and that's more of a design question: Which of the two scenarios (or maybe a third one?) seems better design to you about who should be responsible for the facebook authentication:

1. The mobile client is responsible. Without accessing the backend, it speaks directly with facebook, allowing user to enter his credentials and when it gets the token from facebook, then it hits the backend for first time, passing the token to it in every request.
2. The backend API is responsible. Mobile client tries to access a resource from it. Backend gets no authentication token from client, so it redirects to facebook login. User enters credentials and facebook replies back to the backend passing the token. Then, backend is willing to answer to the client response about the desired resource.

Of course, 2nd scenario means the backend should use a package like DotNetOpenAuth to handle OAuth, while in the 1st scenario, these all happen in mobile client.

I think the first approach is more correct as it emulates the stateless nature of http better (it would be equivalent to a traditional http auth method like Basic Auth). You would be sending the facebook OAuth token to the web api on every call. Otherwise, the server needs to keep state somehow about the authenticated user using a mechanism like cookies for example, which does not look correct in first place. I would use the server side authentication only when the server needs to consume other services that require authentication, but it does look like your case here.