This doesn't seem secure, but I'm not sure what the easiest method to secure it is. My first thought was to host a separate API to retrieve access tokens. Once the browser gets an auth code back from Strava, it sends it to the API, and the API talks to Strava to exchange the code for a token, and then sends the token back to the browser.
This seems a little convoluted, and even more so if I would need to implement TLS on my new API to secure that communication channel. Is there another recommended way to keep my client secret secure?