We’re also trying to figure out the answer to this question. Followed the same steps as you since we needed the client secret, but not sure how to solve the redirect_uri_mismatch
EDIT: Managed to get it working by adding the redirect URI to the “Authorized redirect URIs” list in Google Cloud console:
https://<YOUR_TENANT_DOMAIN>/login/callback
Also make sure not to have a trailing slash in the above, as that isn’t handled well!