There’re flows in OAuth2 that don’t require a secret (e.g. implicit flow is typically used for JS based clients, SPAs, etc). Not all providers support this flow though, so in those situations you need a server side component that negotiates that for you and then handles the interactions with your front-end/device.
In any case, you need the user to authenticate. The secret authenticates the client (your app), not the user. The return url (or callback) protects the token to be posted somewhere else (only your app).
Samples of these flows are here: https://docs.auth0.com/protocols#5
Update:
There’s a specific code/token exchange protocol for “public clients” that adds extra security: PKCE