Zoom OAuth Implementation for Native Windows WPF Application
We’re developing an internal Windows WPF application that will be used by customers whose Zoom accounts are registered as sub-accounts on our tenant. We’re using OAuth 2.0 to allow users to sign in with their Zoom accounts.
Current Implementation:
- Native Windows WPF application
- Using OAuth 2.0 with PKCE for authorization
- Currently using localhost as redirect URI during testing
- Implementation follows RFC 8252 specifications for native apps (RFC8252#section-7.3)
- Everything is working properly in our testing environment
Question:
Zoom’s security best practices (docs/distribute/security-best-practices) states: “Use fully-qualified domain names (FQDN), avoiding localhost addresses.”
Does this guidance apply to native desktop applications?
Since we’re developing a native Windows app (not a web application), we’re confused whether:
- We even need a published (non-listed) general app for sub-account users authentication?
- We need to use a private-URI scheme instead of localhost
- The recommendation against localhost is primarily intended for web applications
- Our current localhost implementation will be approved despite the guidance
RFC 8252 indicates that using localhost is valid for native app OAuth flows, so we’re seeking clarification on Zoom’s specific requirements before proceeding with our implementation.