We do not recommend passing the confidential details such as client secret as query parameters, but as POST attributes, as the hostname and request path can be logged.
You can find here the current supported flows, along with examples on how to send them securely.