Hi@nocap ,
Client secret is required for confidential web applications. If you registered your application as mobile and native or SPA page won't require. It's required for web apps and web APIs, which can store the client secret securely on the server side.
I understand you get an Id token without passing client secret that means you are not using confidential web applications. so, in this case no need to pass client secret. You can use the client ID and redirect URI to authenticate your application. Public client flows are not required for your use case since you are not requesting access tokens.
Before request an ID token, check below pre-requisites present in your application or not.
1.Register your application in Microsoft Entra Id and select support account type as Accounts in any organizational directory.
2.Add openId
scope and optionally profile
and email
to the application.
3.Ensure this oauth2AllowIdTokenImplicitFlow property set as True in the Manifest.
4.Use below URL to get an IdToken
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=Application_Id
&response_type=id_token
&redirect_uri=redirect_uri
&response_mode=fragment
&scope=openid
&nonce=abcde
For your reference: Request an ID token
Configure MSAL for iOS and macOS to use different identity providers
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.