We are developing a native application and server.
I have been reading about the OAuth Authorization flow using PKCE and it seems to be the right thing to do. Still from the user experience point of view, I don’t like that the app needs to use an external user agent to get the authorization code.
We wouldn’t use any 3rd-party API access, only our applications will be expected to authenticate to keycloak.
Would we be able to securely use another flow that doesn’t require us to redirect users?
How should we manage secrets? (we are developing to iOS and android)
Thank you.