I’m implementing a Zoom integration in a Desktop application that needs to invoke a couple of ReST API’s for meetings (Get/Create/Modify/Delete). In order to get an OAuth2 access token, I need to specify my client_secret as a Base64 encoded Authorization header. In this publicly available desktop application there is no way to guarantee the security of a client_secret embedded in my code. According to the documentation, this seems to be required whether or not I’m using PKCE. Is there some other way to accomplish this that does not require embedded a client_secret in my application? Or do people just generally accept that the Zoom OAuth2 client_secret is not really a secret?
Given that my desktop application does not have a corresponding web backend, I don’t really have a valid https URL for an OAuth2 redirect_uri. It doesn’t really matter for my application considering that my embedded browser intercepts the redirect and just extracts the needed information. However, I’m curious to know if Zoom has any recommendations here for desktop applications. I’ve seem some applications use something like https://localhost/oauth2/redirect or a custom URI scheme like myapp://oauth2/redirect. Any advice on a preferred approach?