Some applications spin up a local web server and redirect back to localhost with the authorization code grant flow. You could also use the implicit grant flow - open a webview (or whatever the equivalent is in WPF) and grab the token from the URL hash after the redirect.
If you are hosting the web browser internally in your app with any of the various browsers that allow that, you actually don’t need a live web server running. You can catch the Navigating event and parse the url that is being redirected to as the token you need is one of the url parameters and not embedded into the body.
Thanks @Larklen I’ve already invalidated the client secret. It’s so difficult to know what to do in these situations as you want to post working code but not post working application data if you see what I mean.
Could you elaborate a bit more? From what I can tell the Authorization flows always make a callback which means that you always need to be listening on the callback URL to be able to complete the Authentication and get access to the token? From my understanding (and happy to be corrected) that means you always need to have some kind of limited web server running.