B2C password reset fails for confidential client not configured to support implicit flow

Which version of Microsoft Identity Web are you using? Note that to get help, you need to run the latest version. Microsoft Identity Web 1.2.0

Where is the issue?

• Web app
  • Sign-in users
  • Sign-in users and call web APIs
• Web API
  • Protected web APIs (validating tokens)
  • Protected web APIs (validating scopes)
  • Protected web APIs call downstream web APIs
• Token cache serialization
  • In-memory caches
  • Session caches
  • Distributed caches
• Other (please describe)

Is this a new or an existing app? App under development

Repro

• Configure an application in B2C which does not support implicit flow
• Use dotnet new webapp --auth IndividualB2C to scaffold app, updating package references to 1.2.0
• Configure with B2C application defined above (clientId and secret)
• include <a href="/MicrosoftIdentity/Account/signin/OpenIdConnect">Sign In</a> in index.html
• Set logging at Debug level
• Run app and click link
• Click `Forgot Your Password?

Expected behavior The B2C Reset Password screen

Actual behavior Debug output reporting error: 'unauthorized_client', error_description: 'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.

Possible solution

• The problem is that the authorize call to the password reset policy includes id_token in ResponseType, whereas the signupsignin policy does not.

• Enabling implicit flow does provide a workaround, but this is undesirable given that that the implicit flow is disappearing.

Additional context / logs / screenshots Add any other context about the problem here, such as logs and screenshots.