In the context of OAuth2.0, After the RO (Resource Owner) approves the consent (clicks on the "Allow") - the AS (Authorization Server) will redirect the client to the redirect_uri passed by the client and add query params e.g. (the code and the state):
https://example-app.com/redirect?code=<the auth code>&state=<state>
Then the client should exchange (sends these to the AS) the: authorization_code + client_id + client_secret for an Access token
Okta defines the client_secret as such:
client_secret - The application’s client secret. This ensures that the request to get the access token is made only from the application, and not from a potential attacker that may have intercepted the authorization code
BUT how on earth the Authorization Server knows how to validate this client_secret which the client have created ???
