JavaScript

How secure is workflow oAuth 2?

Hello everyone
, here I found such an oAuth2 authorization workflow
https://github.com/sahat/satellizer/wiki/Login-wit...

Client: Open a popup window via $auth.authenticate('provider name').
Client: Sign in with that provider, if necessary, then authorize the application.
Client: After successful authorization, the popup is redirected back to your app, eg localhost:3000 , with the code (authorization code) query string parameter.
Client: The code parameter is sent back to the parent window that opened the popup.
Client: Parent window closes the popup and sends a POST request to /auth/provider withcode parameter.
Server: Authorization code is exchanged for access token.
Server: User information is retrieved using the access token from Step 6.
Server: Look up the user by their unique Provider ID. If user already exists, grab the existing user, otherwise create a new user account.
Server: In both cases of Step 8, create a JSON Web Token and send it back to the client.
Client: Parse the token and save it to Local Storage for subsequent use after page reload.

I have a question about the security of such a workflow , because at step 3 you can simulate
a response from an external site in a child window you can also pass any url you need to the parent window, or am I mistaken? Or is there security in this? can you explain? how much I read I can’t understand how the security of such authorization is organized thanks for earlier PS on the angular client, on the nodejs server