In the context of OAuth2.0, After the RO (Resource Owner) approves the consent (clicks on the "Allow") - the AS (Authorization Server) will redirect the client to the redirect_uri passed by the client and add query params e.g. (the code and the state):
https://example-app.com/redirect?code=<the auth code>&state=<state>
Then the client should exchange (sends these to the AS) the: authorization_code + client_id + client_secret
for an Access token
Okta defines the client_secret as such:
client_secret - The application’s client secret. This ensures that the request to get the access token is made only from the application, and not from a potential attacker that may have intercepted the authorization code
BUT how on earth the Authorization Server knows how to validate this client_secret
which the client have created ???
Client did not create client secret. When you create new client on Authorization server, Authorization server generates client secret (if type of client is confidential, public client does not have secret). You get client_id and client_secret from Authorization server and use it in your client.