Thanks for pointing that out. Actually the intention is not to expose the server’s signing key or secret to the client. That would not be secure. However, in this tutorial, I have used the same password for signing and client password and that’s definitely confusing and misleading. I have now updated the code and this post to give a separated secret to the client.
In non-trivial implementations, the client ids and secrets would be maintained in a separated API and shared in a secured fashion. For brevity’s sake, they have been hardcoded in this post.