We're facing an issue with our Zoom Marketplace app related to the OAuth flow. The app is approved and we have a redirect URI configured as beta.xyz.com. Recently, we set up a microservice to handle OAuth at a central location, and the new redirect URI is api.oauth.xyz.com/auth/zoom/callback.

We also manage different environments for our clients, so their respective redirect URIs would look like client.api.oauth.xyz.com/auth/zoom/callback. We added these to the allowlist in development mode, which automatically added them to the production allowlist, but the app is still not working for our customers.

I've read that if we add the root domain xyz.com, all subdomains should work for the OAuth redirect, especially since we're using Passport.js, which creates the redirect URI in  request body based on client environments. My question is, will this approach work without needing to add each client's redirect URI to the allowlist?