Not sure how Expo works and didn’t understand the “eject” bit, sorry about that.
Our libraries do indeed open the device’s native browser as per recommendations of the OAuth 2.0 Threat Model and Security Considerations. An embedded WebView is rejected by some identity providers (like Google) because it could potentially enable an application to steal the user credentials or do other malicious activities on behalf of the user (like automatically giving consent without the user intervention).
If you want to implement the flow in the app’s embedded browser (which, again, is not recommended because of security concerns and might be rejected by some identity providers) you will have to implement the Code Authorization grant with PKCE to obtain refresh tokens.