This recipe presents you with how to create a native OAuth 2.0 client application for Android, which integrates with an OAuth 2.0 protected API using the Authorization Code grant type. The OAuth 2.0 specification (RFC 6749) states that public clients shouldn't use the Authorization Code grant type. On the other hand, the recently published RFC 8252 states that Authorization Code should be used in conjunction with dynamic client registration and PKCE validation (we will see more about both approaches later in this chapter).
Note
The application created for this recipe, uses client id and client secret issued by a pre-registered client application just for brevity of the recipe. But bear in mind that, as per OAuth 2.0 specification, the Authorization Server must not issue client secret for native client that aren't specific running on a specific device.