Hi Pierre
To see which flow you use, check this:
It will most likely be Auth Code or Auth Code + PKCE
The “Authorized Applications” is something you’ll have to implement yourself, with a field in the user’s app_metadata containing all applications they are authorized for, and adding this data to the ID token. The app should then verify the ID token and look at this field.
Or if you can protect at an API level instead of an app level, use the Access token instead.
John