Secure flow from Client to OAuth2 to Server to Client again

Question

I'm not sure if this is specific to the discord OAuth2 flow but I'll mention that I'm currently trying to get a user's discord id for use later.

My current flow is as follows:

• User clicks on button on client which redirects to discord auth link
• Discord sends code callback to firebase function
• Firebase sends for Token+Refresh from auth server
• Firebase stores user id and such(iffy here)
• Firebase sends confirmation back to the Client

I need the UID of the person calling this function in order to store the data into the correct document on firestore. I was originally going to consider going with:

• User clicks on button on client which redirects to discord auth link
• Discord sends code callback to client
• Client sends code to Firestore Function
• Firebase sends for Token+Refresh from auth server
• Firebase stores user id
• Firebase sends confirmation back to the Client

but I'm worried about the insecurity mentioned here: https://discordjs.guide/oauth2/#oauth2-flow

Answer 1

I finally decided that it doesn't matter if the client (or anyone for that matter) has access to the code callback since I'm using it to fetch for the actual token+refresh anyways. The code is useless without the app_id and app_secret anyways.