Matt Raible
Hello Pierre,
Your first question is a good one. You could try using 127.0.0.1 instead of localhost. In most cases, the end user controls localhost, so I’m not sure “we don’t control localhost” is accurate.
As far as the secret key - you should never distribute one with your app. It should be possible to use authorization code flow with PKCE so you don’t need a client secret. However, the Microsoft library used in this tutorial hasn’t been updated since 2018 so I doubt it supports PKCE.