I've seen a lot of posts recommending using Xamarin.Auth for SSO in Xamarin, but having reviewed a tutorial as well as the GitHub Getting Started wiki (in which says it supports "Authorization Code Flow", but seems to require a secret key from the client to get the auth code, which is not what I'm looking for) and searched the web fruitlessly for "Xamarin.Auth implicit flow", and "Xamarin.Auth authorization code flow", it appears to me that Xamarin Auth supports only Implicit flow, which is less secure than an Authorization Code flow for a native app that is connected to a backend web server application as mine is. Am I correct in understanding that Xamarin.Auth can only support an implicit flow (requiring that the access token be sent to the client, and a client_secret can't be retained server-side and sent server-side as part of the retrieval of the access token), and not an authorization code flow (in which the client would receive only an authorization code, which it would then send to the server, which then would retrieve the access token using a client-secret and possibly a PKCE exchange)?
Furthermore, even flows with other libraries I've seen recommended seem to retrieve the access token to the client - AppAuth supports PKCE, which is a security improvement vs no PKCE, but the posts I see showing examples of it here and here and here still all retrieve the access token on the client. Auth0 is also recommended in some posts I've seen (e.g. here), but the example I see for that here also retrieves the access token on the client.
Is there a reason why sites are not doing this? Is there a sample or API documentation anyone can point me to for a library that does support retrieving only an authorization code client-side in a Xamarin application? (and then separately, server-side, using that to retrieve the access token using a client-secret, not necessarily with the same security library since that would not need to be Xamarin code - this server-side part I feel confident is a pretty standard thing - e.g. as outlined for Auth0 here)?
Xamarin.Auth do support Authorization Code Flow. As you find in the tutorial, Xamarin.Auth's OAuth2Authenticator class has a parameters called 'Client Secret', together with other provided parameters, Xamarin.Auth is capable of handling the Authorization Code exchange part and return the access token directly back to you, it looks like this part didn't happen, but actually it did.
Digging into OAuth2Authenticator source code, method VerifyOAuth2FlowResponseType shows Xamarin.Auth provides both Authorization Code Flow and implicit flow. For more detailed information, you may read the code together with The OAuth 2.0 Authorization Framework
And here is an example for Authorization Code Flow from client side.