Protected apps using Azure AD B2C (aka Microsoft Entra External ID) as a confidential client are not currently supported in the iframe widget. The B2C token exchange requires a client_secret param be passed, but this is not configurable in the iframe.

Request is for support to be added for a secure way to achieve this auth flow without having to pass client_secret param.