Thanks @kamicut! So, it seems like the primary risk is that if someone could easily get your Client Secret (i.e. read it in your front-end application's source code) and then could somehow intercept the Authorization Code (e.g. look through a browser's history for redirect URLs, such as when Github redirects back to "http://...redirect_uri.../?code=abc123"), then that person would be able to easily generate an auth token for that user. So in closing, it is not okay to embed your client_secret in a frontend application.
... View more