Hey @maxime1992
Welcome to the community 
You are right that the client_secret should not be exposed. The client_id and client_secret information is used to identify the app that is requesting authorization (consent from the user). It is the responsibility of the app to maintain the confidentiality of the client_secret (Ref. RFC 6749 - The OAuth 2.0 Authorization Framework)
Depending on whether the user has granted the consent, the app is expected to exchange the authorization code for access + refresh token. This communication can happen only from the backend. Refer to the dotted lines in the flow below. They represent server to server communication or a secure back channel.
This is also an interesting question. You are more likely to run into a CORS issue (which prevents API calls happening directly from frontend to API if the origins/domains do not match) that is enforced by the browser. Let’s hypothetically assume you bypass that and manage to make a call. In this scenario, any user who has access to DevTools can intercept the requests and recover the token used for making the call. This would create a huge exploit 
You have figured out the solution too. You need to have a server to handle the OAuth flow safely. You can host it in AWS/GCP/Heroku or any cloud provider of your choice.
You also have a sample app to get started 
Let me know if it helps.
Ref: