OAuth2.0/OIDC Public Clients: What implementation is recommended for authentication & scopes consent when there is no third-party involved?

Question

Context

I am developing a solution with

• Two clients, a mobile one and an SPA.
• An authorization server under my control.
• A resource server / identity provider, that provides user data and features through an API.

I am using OAuth2.0 because it can provide advantages such as allowing third-party apps to easily integrate with my Auth server / IdP, whether it be to have access to user data, or API features. It would also allow the clients to integrate with other IdPs and eventually have their data migrated over to mine.

OAuth Flow

Authentication

During the OAuth flow, there is a redirection to authenticate the user on the authorization server. At that point user enters credentials and consents to the scopes/claims clients want access to. In the case of third-party client applications I understand that:

• Mobile: the latest RFCs recommend browser custom tabs for mobile apps.
• SPAs: Being browser-based, here a simple redirection.

But that's the use case where it's a third-party client app delegating authentication and account management to my IdP system. This ensures the mobile application can't snoop on user's credentials (and eventually leverage sso solution of IdP so there's no need for credentials input).

In my case, I own both the client and the rest.

My first question is: Since I own the application, whether it be mobile or web, do I necessarily need to implement that redirection to a UI hosted on my IdP? Or can I have a form directly as a part of the mobile/web app and authenticate the user through REST (and then follow the rest of the OAuth flow to deliver an AccessToken + IdToken for OIDC)?

Scopes

When it's third-party client applications, I understand that we must display to the end-user the data (scopes/claims) the client wants access to. User must give an explicit consent and know what data is going to be used by the application.

But in my case, since I own the application, can't I just have a Terms & Conditions page the user approves to use the app and skip the scopes/claims approval in the OAuth flow?

In brief, what's best practice and why when there's no third-party involved?