I want to know what could the attacker do if he obtains the client_id
and client_secret of an Google's Oauth2 app.
The OAuth 2 Client Secret must be protected. However, if it is leaked the attacker needs one more item. A valid redirect_uri. If the attacker has both along with the (public) Client ID, they might be able to generate OAuth tokens for your account.
The redirect_uri is often valid for http://localhost because developers forget to remove this URI after development completes. This means that someone could run a local server and generate OAuth tokens. This is a big security hole.
What can they do with the OAuth tokens? depends ...
Like what the information he would be able to see? Can he edit the app
configurations? Can he see other people information?
You did not specify whose OAuth system, what it is authorizing, etc. Therefore the answer is "it depends".
For Google Cloud, the hacker will need the credentials for someone authorized in Google Cloud. Some systems have very poor security, so as they say, anything can happen and often does with poorly designed security.
In a properly designed system, there are several layers that the hacker needs to get thru. Having the Client Secret helps a lot, but is not a total security failure. The hacker can only authenticate with the system. The next layer, which is authorization, needs to be breached. In a correctly designed system, the hacker will need to authenticate with a user with authorized permissions. If the hacker has that, then you are in big trouble. He might have the keys to do anything he wants. Again, it depends.