I am maintaining a classic Windows desktop application and want to replace its custom username + password authentication by OpenID Connect. In the end, I managed to make it word: It starts a micro HTTP service locally, then asks the default system browser to request an OpenID Token to be delivered by redirection to the local HTTP service. So far, so good.
Now the problem is that in production, that classic Windows Desktop application will be deployed on thousands of customer PCs. Each PC has a different host name, and each PC has different free IP ports. So in reality, the person maintaining the Auth0 service account cannot know upfront all allowed host names and possible ports. Or in other words, he would use “http://localhost:*/resume” as a generic allowed redirection URL. Apparently this is not wanted by Auth0.
As adding OpenID Connect to class Windows Desktop applications is a default case, and as starting a local HTTP service apparently is the default solution, I wonder how others solved that problem with the host names and free ports? What is the official Auth0 advice on this topic?