I may have missed the point — and that’s a distinct possibility — but I’m not sure I agree.
As far as I can tell, the security for web applications using OAuth 2 comes entirely from the redirect URL. There’s no way an attacker can get any tokens sent to them without either:
- being able to intercept and decrypt the HTTPS traffic, or
- being able to fiddle with the DNS of the client to get it to request the URL for the redirect from a web server under the attacker’s control (and have a valid HTTPS certificate for that domain)
In either of these situations, you probably have bigger problems.
The client secret is a red herring when it comes to web applications. The user can extract it, as can anyone else who wants to use it. It’s pointless in this context, and that’s presumably why the implicit grant exists. The implicit grant still has the protection of the redirect URL, and that’s enough.