According to current native-application-OAuth best practice RFC the loopback port should be opened only when used for authorization request, and closed when done.

This best practice should be adopted when using QOAuthHttpServerReplyHandler; the close() should be called after authorization is complete, failed or otherwise. It should be possible to reopen to listen to the same port if later needed. Understandably if some other process in the operating system has already claimed the port in the meanwhile, it will just fail to listen, but this is acceptable (but it mustn't assert)

Note that the loopback listening is only needed when acquiring the authorization code. It is not needed when acquiring access token (neither for the first acquisition, nor for a token refresh). In other words:

• Authorization stage: callback/redirect_uri needed. Listening needed
• Request access token: callback/redirect_uri needed. Listening not needed
• Refresh access token: callback/redirect_uri not needed. Listening not needed