How should a CLIENT_SECRET for OAuth be accessed?
I have a nextJs SPA and a Django web application. For authentication I am trying to implement OAuth with Google. From the articles I've read related to this I've understood that client_secret shouldn't be stored on the client_side in my case the nextJs app. What confuses me is that when a user tries to login they would need to access the client_secret. lets say I retrieve the client_secret through an API when the user tried to login and then use the retrieved client_secret. Wouldn't it still be exposed to potential malicious parties?
What would be a secure way to store and retrieve the stored client_secret?
I tried to follow the next-auth tutorial to setup Google OAuth but the client_id and client_secret and both stored on the nextJs application which go against recommendations related to OAuth implementations.