Since you are trying to learn this for a school project, the main question you are asking around ID and Secrets are not JavaScript related but deal with OAuth2. This is a good place to start, even a little bit down it has a diagram that illustrates the OAuth2 flow in more detail:
http://www.bubblecode.net/en/2016/01/22/understanding-oauth2
The gist is this - which means, 10,000 ft view, take this with a grain of salt. Other people may describe this differently and that page will provide much greater detail.
Your Client ID provides a “public” identifier that may be used and exposed. The Secret should always be kept, well, secret, and never exposed on a web page (be careful with JavaScript - I prefer the MVC design pattern). This is used as a key, if you would, to truly identify yourself and to allow a user to trust you when they authenticate. Once they provide authorization you will get back an Access Token and Refresh Token that allows you to perform actions on behalf of the user. The user authorization is only needed if you are wanting to access secure endpoints (protected by Scope).
What is Scope? Scope is what you are requesting the user to give your application access to. Services provide different levels of Scope as needed to protect endpoints as needed.
The Twitch API docs provide information as to how they provide access to all of this:
Good luck!