It is not recommended to use client secrets in single page apps.

Single-page apps (or browser-based apps) run entirely in the browser after loading the Javascript and HTML source code from a web page. Since the entire source is available to the browser, they cannot maintain the confidentiality of a client secret, so the secret is not used for these apps. The flow is exactly the same as the authorization code flow, but at the last step, the authorization code is exchanged for an access token without using the client secret.

From: https://www.oauth.com/oauth2-servers/single-page-apps/

The basePropTypes currently states that the clientSecret is required:

const basePropTypes = {
  oauthClient: PropTypes.shape({
    options: PropTypes.shape({
      clientId: PropTypes.string.isRequired,
      clientSecret: PropTypes.string.isRequired,
      redirectUri: PropTypes.string.isRequired,
      authorizationUri: PropTypes.string.isRequired,
      accessTokenUri: PropTypes.string.isRequired,
    }),
    code: PropTypes.shape({
      getToken: PropTypes.func.isRequired,
    }),
  }),
};

As this requirement is contrary to best practices in some situations, and the client secret is not required according to Oauth2 specifications, I suggest that the ".isRequired" flag be removed from the propTypes declaration.