In the end, if you want to configure the secret in the backend, you need to create two different clients.

• One for the frontend, public, without secret, to retrieve the code and the token.
• One for the backend, confidential, with secret, to get the information from the received token.

Following this blog helped me a lot to understanding it: Secure Frontend (React.js) and Backend (Node.js/Express Rest API) with Keycloak