Authenticating with client_id and client_secret doesn't authenticate you as a user; it just identifies the application. Since permissions are granted only to users (and not to applications), this way of authenticating with the API doesn't allow you to perform actions which require authentication.
In other words, when you provide the client_id and client_secret, you're still making unauthenticated requests but get the higher rate limit:
http://developer.github.com/v3/#unauthenticated-rate-limited-requests
To get around this problem, you'll need to authenticate using Basic Auth or OAuth: