Your token request MUST occur on a backend server; implicit grant types are not supported. Do not provide the client secret to unsecured environments such as web clients.

Be sure to validate all query parameters received via the Redirect URI.

Your implementation should also make use of the State field to protect against cross-site request forgeries.