Why does the request require the client ID and secret key?

I'm trying to implement this in a webapp I'm developing and don't understand why we need to explicitly state the oauth credentials in the app. 

Shouldn't the user be authenticating themselves, why does Passport require additional credentials? And how would I mask these credentials from being exposed over the internet?