According to the Mobile App Google 
CodePudding user response:
The redirect uri is actually not differentiated by whether it's backend or frontend.
When you create authz credentials in Google, you're supposed to define the redirect method and the uri itself. Here's the type google suggests from the doc you linked:
Custom URI scheme (Android, iOS, UWP) A custom URI scheme is recommended for Android apps, iOS apps, and Universal Windows Platform (UWP) apps.
The uri scheme tells the OS that when it sees a matching url, open a particular app (rather than the browser).
Obviously, if you're using the mobile phone's web browser for the flow, then you needn't worry about the custom scheme. This is even the preferred method in the native apps rfc.
CodePudding user response:
I think what you want to achieve can be done in the following way:
Implement the Authorization Request on the Mobile app, and set redirect_uri in a way that redirects back to your app, i.e: claim that url with your app. When you get the auth code in your app, send that auth code to your backend, and do the token request from your backend. That way, you'll have all tokens on the backend.
The flow is:
- Authorization Request from mobile app to OAuth provider (e.g: Google).
- Google responds with auth_code to your mobile app.
- Send that auth_code to backend (this is your own Token Request route).
- Do the Token Request on backend with the auth_code and get access_token and refresh_token -- here you have the possibility to store it.
- Respond to the mobile app with the desired token so it can use it for authentication/authorization.