OAuth2的客户端JS库如何维护安全身份验证?

我是OAuth2的新手，尽管研究仍无法掌握，但我一直在努力解决这个问题.

I'm new to OAuth2 and there's a problem I've been struggling with and despite research still can't grasp.

拥有用于OAuth2的JS客户端的困难在于您无法存储客户端密码，因为它可以在浏览器中广泛访问. IE.在这个SO问题中，评分最高的评论是:

The difficulty in having a JS client for OAuth2 is that you can't store the client secret, because it will be widely accessible in the browser. I.e. in this SO question the highest-rated comment says:

我认为tokenSecret和ConsumerSekret参数应该是 秘密！将它们下载到浏览器后如何保持秘密?！！"

"I think tokenSecret and consumerSekret parameters are supposed to be secret! How could they remain secret when downloaded to browser?!!!"

因此，客户端OAuth2框架如 hello.js 或

Therefore how do client-side OAuth2 frameworks like hello.js or oauth.io overcome this problem? I know they use a server-side proxy (which knows the ID and secret) for their requests, but the client JS code still needs to somehow tell the proxy who it is. So what prevents anyone from taking the JS code from my website and talking to the proxy on my behalf?

我还找到了用于JavaScript的Google API客户端库. AFAIK那里的客户端代码没有传递秘密.我是否正确理解他们通过具有预定义的OAuth响应地址来管理此操作? (以便令牌始终通过预定义的HTTP地址返回).因此，即使有人尝试使用我的ID来假冒我的网站，令牌仍将返回我的网站吗?

I've also found the Google APIs Client Library for JavaScript. AFAIK there the client code does not pass a secret. Do I understand correctly that they manage this by having a predefined OAuth response address? (so that the tokens are always returned via a predefined HTTP address). So even if somebody tries to impersonate my website by using my ID, the tokens will still get returned to my website?

也许我在这里混淆了几个不同的主题，对此主题的任何理解都会受到赞赏.

Maybe I'm confusing a few different topics here, any light on the subject would be appreciated.