I have an android native app as client and spring boot service in the backend with REST endpoints. I want to know the best possible strategy for authentication with oAuth2 (without the social login approach).
I am currently using spring oauth security & have an authorization server up and running(user signs up with email & password). I use the grant type "password" to get access tokens in the android app. However, this approach requires the android app to send the client ID & secret in the request. I read a few posts which suggest that this grant type is not ideal. I dont mind receiving the user's password, but i think storing the client secret in the app is not a good approach.
Another approach would be to use the Authorization Code grant flow, but in this case since i only have a native app & backend APIs, i dont know how to authorize the user. It doesn't seem like a seamless experience for users to see a browser page asking them to authorize the app. Which doesnt make sense also because this is no third party app.
I found a post where people suggest using Authorization Code flow with PKCE. But this apparently doesn't yet work with spring.
So, now i am left wondering how other native mobile apps, handle authentication? Do they not use access token? How best can i support authentication when dealing with a mobile app & spring backend?