Configure .NET 8 Blazor SSR (Static) app to work with Entra ID in Azure AD B2C

I am having trouble configuring a .NET 8 Blazor SSR Static application to work with Entra ID in Azure AD B2C.

In Program.cs I have this:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)        .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));

My config looks like this:

"AzureAdB2C": {"Instance": "https://[example].b2clogin.com","Domain": "[example].onmicrosoft.com","TenantId": "[my tenant id]","ClientId": "[my client id]","ClientCapabilities": [ "cp1" ],"SignUpSignInPolicyId": "B2C_1_signup-signin",    //"ResponseType": "code"  <== commented out  }

On Azure, I register the application:

Platform: WebRedirect URI: https://localhost:7021/signin-oidcAccess Tokens and Id Tokens both NOT selected.

With the above config, I get the following error when I navigate to the site:

AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.

If I select both Access and Id tokens I get the same error.

If I include "ResponseType": "code" in the config then I am presented with the login screen. I am able to login but I then get the following error:

AADB2C90079: Clients must send a client_secret when redeeming a confidential grant.

This happens whether or not the Access and Id tokens are selected.

If I add a client secret in the portal and I also add it to the config, I get the following error:

IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.

This happens whether or not the Access and Id tokens are selected.

The Entra ID Integration Assistant also reports:

If I disable Access Tokens then the second warning is satisfied.

Out of desperation I even tried setting the platform to SPA which simply brought another round of errors.

Researching this problem is challenging in part because .NET 8 Blazor SSR (Static) is relatively new and because Blazor comes in three flavors (WASM, Server, and now static).

I am looking for some guidance here. I thought this would be easy compared to implementing Auth in a SPA but I was wrong. Hopefully I'm overlooking the obvious. I want the "right" configuration that not only works but is the most secure possible.