OIDC plugin usage of client_secret


I am reading documentation for OIDC plugin here OpenID Connect | Kong Docs (konghq.com)
, and looking at sequence diagrams, I am little confused on what Kong’s and plugin’s role in this scenarios
From the picture it looks like Kong-plugin is taking client_id, client_secret and auth_code from the Client and uses it to obtain access_token on IdP.
Similar down below for client_credential grant type, where Kong again interacts with IdP on behalf of the

Isn’t this kind of interaction suppose to stay directly between Client and IdP, so client_secret doesn’t leak?
I am reading this explanation, where Client has to work with Authorization Server (IdP) directly and Resource Server is not mentioned.
Final: OpenID Connect Core 1.0 incorporating errata set 1

I thought this Kong plugin’ main role is to verify access_tokens and redirect/kickstart oauth2 flow, if it’s missing or expired and may be not act on behalf of Client?