I am also having the same problem at the moment.

As pointed out in https://stackoverflow.com/a/7476709/11025934 they don't expect the client_secret to stay secret. That being said the thread that is being quoted is really old (from 2011) and it seems weird that they haven't fixed that or in their words "phased it out".

To me this means that they treat the client_secret the same as the client_id. If that's the case, then it is probably ok to use it. My problem with this however is that adding a Desktop OAuth 2.0 client in https://console.cloud.google.com/auth/clients does not require a redirect_uri and I believe this is a big security risk.

For me there are 2 solutions:

• Change to other OAuth 2.0 providers. e.g. GitLab also creates a client_secret but does not require it for the authorization_code grant, Auth0 also creates a client_secret but does not support http redirect_uri so you have to setup a custom URI scheme.
• Use Keycloak (or another similar service) as your OAuth 2.0 provider and connect it with Google's, effectively using it as a proxy.