Android

Why do I need android package + SHA to set up client oidc authorization?

There is OIDC authorization. For authorization on a client that is not protected from reverse-engineering, the PKCE extension is used so that authorization can be used without a secret key issued by the provider - since the client cannot ensure the protection of this key. But at the same time, all OIDC providers for android clients require you to specify a package name and SHA-1 or SHA-256 certificate fingerprint (similarly for other non-server clients - iOS, Windows). But how is this information used for authorization. For native OIDC clients, providers supply their own libraries that need to be used, but there are no descriptions of what exactly happens in it, which flow is used, what parameters and what callback URL is missing. I googled but didn't find anything about it either. Maybe someone knows.
I was thinking maybe the OIDC provider is using a redirect URL that should be handled by my app as an Android App Link. And then for each client an entry would be added to /.well-known/assetlinks.json - https://developer.android.com/training/app-links/v... . But it seems no, it is not added.
So how does it work, it's not just that they ask.
This can be useful if, for example, you are writing your own OIDC server implementation.