Hello
As i can see , you are using the Implicit and Hybrid flows for authentication. Neither the Implicit nor the Hybrid flow requires a client secret when you're just using them for authentication (i.e., getting an ID token). They are designed to work for public clients where the application can't safely store a client secret, such as Single Page Applications (SPAs) running in a browser.
If your application is not using the client secret (and it's not hardcoded anywhere, nor stored in configurations or app settings), and you are solely relying on Implicit or Hybrid flows for authentication, then you should not experience any issues when the client secret expires or if you delete it.
To learn who the user is before redeeming an authorization code, it's common for applications to also request an ID token when they request the authorization code. This approach is called the hybrid flow because it mixes OIDC with the OAuth2 authorization code flow.
The hybrid flow is commonly used in web apps to render a page for a user without blocking on code redemption, notably in ASP.NET. Both single-page apps and traditional web apps benefit from reduced latency in this model.
The hybrid flow is the same as the authorization code flow described earlier but with three additions. All of these additions are required to request an ID token: new scopes, a new response_type, and a new nonce
query parameter.
Links :
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
I hope this helps!
Kindly mark the answer as Accepted and upvote or post your feedback to provide additional help!
Regards !