We are building an IOS SwiftUI application that interacts with Shopify. The application is intended to be a public application published in the Shopify App Store. We have been building the application using private app credentials, but we are now ready to implement the public oAuth authorization flow. It is our understanding that the oAuth 2.0 specification includes a flow that will support this use case.
Our general question is:
Does Shopify's authorization server support native apps, as documented in RFC 8252; either through custom URI schemes, or loopback HTTP redirects?
There are several redirect URI options available to native apps for receiving the authorization response from the browser, the availability and user experience of which varies by platform. To fully support this best practice, authorization servers MUST offer at least the three redirect URI options described in the following subsections to native apps. Native apps MAY use whichever redirect option suits their needs best, taking into account platform-specific implementation details.
Private-Use URI Scheme Redirection
Claimed "https" Scheme URI Redirection
Loopback Interface Redirection
Does Shopify's authorization server support either of these 3 redirect options?
Public native app clients MUST implement the Proof Key for Code
Exchange (PKCE [RFC7636]) extension to OAuth, and authorization
servers MUST support PKCE for such clients, for the reasons detailed
in Section 8.1.
Does Shopify's authorization server support PKCE?
If the answer to either of these questions is no, which authorization mechanism does Shopify recommend for IOS native applications?