I'm not sure if this is specific to the discord OAuth2 flow but I'll mention that I'm currently trying to get a user's discord id for use later.
My current flow is as follows:
I need the UID of the person calling this function in order to store the data into the correct document on firestore. I was originally going to consider going with:
but I'm worried about the insecurity mentioned here: https://discordjs.guide/oauth2/#oauth2-flow
I finally decided that it doesn't matter if the client (or anyone for that matter) has access to the code callback since I'm using it to fetch for the actual token+refresh anyways. The code is useless without the app_id and app_secret anyways.