I've been trying to understand the oauth2 protocol lately and I think I have a decent understanding.

Here is a brief overview of how I understand Oauth Sign in in on a headless website:

1. User want to log in on website, click google login
2. Frontend redirects to portal with client_id
3. User gives permission.
4. Frontend recieved auth_code (in auth-code flow at least)
5. frontend send auth-code to backend
6. backend exchanges auth-code for acces-token. This requires client_secret and client_id.
7. Backend exchanges acces-token for data

So if the frontend with client_id 'some-string' request permission and its granted. Then the backend with client 'some-string' and its associated client_secret is able get the user data.

Now I learn that other platforms (android, ios) need separate client_id's configured. This doesn't make sense to me. Can anyone explain that to me?