I am implementing login within a new native application (iOS and Android) and deciding on the kind of authentication to adopt. There are some quite clear guidelines around OAuth that state that this should be done using an external agent (browser) and this leads me to Authorization Code Grant with PKCE

https://tools.ietf.org/html/rfc8252

Implementation here: https://appauth.io/

However, my designers and product owners are sceptical. They dont see that kind of login very much (they dont like the address bar) and want to explore the Resource Owner Password Credentials option. Essentially direct login. Their argument is that it is simple and familiar.

I dont want to compromise security and as such I am resisting this option. But... I have read some articles that seem to suggest that this could be secure if I dynamically generate the client used for the auth request:

https://tools.ietf.org/html/rfc6749#section-10.1

The authorization server MUST NOT issue client passwords or other
client credentials to native application or user-agent-based
application clients for the purpose of client authentication. The
authorization server MAY issue a client password or other credentials for a specific installation of a native application client on a
specific device.

This is backed up by AppAuth documentation here:

https://github.com/openid/AppAuth-Android#dynamic-client-registration

https://tools.ietf.org/html/rfc7591

Am I interpreting this correctly? I am considering initial user registration in-app that returns an access token that can be used to dynamically generate a client (with secret) that can be used for login using ROPC.

I am thinking to be secure then this dynamically generated client should only be used for login for the single user - one client per user, but maybe one client per device is also secure enough.

It seems a little 'hand rolled', so I am nervous. Am I right to be so?