Our strategy on Windows is that we are using the WebView2 control to launch the Login Page of the Identity Provider, and we have a defined redirect URI such as myappname://auth. We use events attached to the WebView2 control to watch URL changes, and look for our redirect URI, at which point we grab the whole URL containing the authorisation code, state etc and shut down the control.

In doing this we have no requirement to open ephemeral ports or similar.