How secure is this solution?

[blaataap]

So i have implemented this quickstart but im wondering how secure this is? For example all client id's are exposed client side. Next to that i was able to login using the access_tokens from localstorage. Just by copy and pasting the localstorage i was able to login on a different browser/computer.

Is this just as designed or should this never be used in production/publicly?