I have an oauth2 api server and a website "client" server. This website client has its own oauth2 client id and secret. I am trying to authenticate a user. For this, I need to POST their username and password to my client server, then add the client id and client secret and perform another POST to the oauth2 api server.
The gist of it being that I do not want my client id and client secret been seen on the front end. Is there a way to do this? For those with experience running their own OAuth2 instances, is it safe to just post the client id and client secret from the client side of the client server?