I’ve got the OAuth flow working fine on my client app but I realized I’ve got the client secret in the client and that’s no good so I’m moving some logic to my backend.
Currently I’m making the authorization request from the client and then sending the code to the backend. The backend makes the same exact token request as the client was making successfully but it gets returned with a 500 status, ‘Internal Service Error’.
I’ve checked everything several times for typos and formatted the request different ways. So my guess is that the token request has to come from the same origin as the authorization request. Is this right?
Also, I can’t find much information on the client secret itself. Is it really a secret? The 'OAuth and Permissions" doc describes the entire OAuth process as happening on a client, leaving out securing the client secret. If this is something that I don’t actually have to worry about I’d just as well let the client handle the entire OAuth flow.