Yes, it is safe to use the client_id in the front-end. The important thing is to keep the client_secret secret on the back-end.

Yes, it is definitely the right implementation: parsing, checking and validating the “token” should be done in the back-end.