Hey @spoulose,
This is the correct flow. 
The Client Secret and request to get an access token should not be made on the frontend. After landing on the redirect url, you should send the code in the query param to your backend server to make the get access token request, and then send the access token to your frontend in your session or however you want to use it. The Client Secret should never touch your frontend application.
Does that make sense?
Thanks,
Tommy