I'm trying to implement a custom ROPC flow in b2c. The idea is that trusted ( internal ) applications can get user tokens without using its primary password ( the user may have several kinds of credentials ), but other credentials.
I'm following the documentation at https://docs.microsoft.com/en-us/azure/active-directory-b2c/ropc-custom?tabs=app-reg-ga , but it clearly states:
Confidential client flow: The application client ID is validated, but the application secret is not validated.
But, from my point of view, these flows should only be used by privileged clients, therefore B2C needs to validate the client_secret, but this is not an option.
Is there a workaround for that, maybe some parameter that I can use in my custom policy definition?
I know that this can be implemented using non ROPC flows, but some applications don't have a way to redirect the user to a web page ( like a TV App ).
