In section 5.2.1, it's made clear that this IG uses JWT-based client auth: "Client apps following this guide will have registered to authenticate using a private key rather than a shared client_secret. Thus, the client SHALL use its private key to sign...."

But sections 4.2.1 and 4.2.2 read like client secret is an available option for clients using B2C flows: "If the client app has registered to authenticate using a private key rather than a shared client_secret,....", "For client applications authenticating with a shared secret,...."

It doesn't appear that client secret is an option for any flow, given that Discovery limits token_endpoint_auth_methods_supported to ["private_key_jwt"].

Please resolve.