It sounds like Okta uses the authorization code flow so you definitely need the client secret to make a /token request to retrieve tokens.
For OIDC applications destined for the OIN, Okta recommends building a “web” application with a dedicated server-side back end that is capable of securely storing a Client Secret and exchanging information with an authorization server through trusted back-channel connections.