Update sign in sample to not use hybrid flow (implicit id token)

1-WebApp-OIDC/1-1-MyOrg/README.md

@@ -96,10 +96,7 @@ As a first step you'll need to:
    - In the Redirect URIs section, select **Web** in the combo-box and enter the following redirect URIs.
        - `https://localhost:44321/`
        - `https://localhost:44321/signin-oidc`
-   - In the **Advanced settings** section set **Logout URL** to `https://localhost:44321/signout-oidc`
-   - In the **Advanced settings** | **Implicit grant** section, check **ID tokens** as this sample requires
-     the [ID Token](https://docs.microsoft.com/azure/active-directory/develop/id-tokens) to be enabled to
-     sign-in the user.
+   - In the **Advanced settings** section set **Logout URL** to `https://localhost:44321/signout-oidc`  
      <details open=true>
      <summary>Expand/collapse screenshot</summary>
 
@@ -109,7 +106,12 @@ As a first step you'll need to:
 
 1. Select **Save**.
 
-> Note that unless the Web App calls a Web API, no certificate or secret is needed.
+1. In the app's registration screen, select the **Certificates & secrets** blade in the left to open the page where we can generate secrets and upload certificates.
+1. In the **Client secrets** section, select **New client secret** and add a new secret
+
+> [!NOTE]
+> Secrets are weak credentials. In production, use a federated credential if you are hosted on Azure, or a certificate otherwise. See https://aka.ms/idweb/client-credentials
+
 
 ### Step 2: Download/ Clone this sample code or build the application using a template
 
@@ -132,7 +134,8 @@ cd "1-WebApp-OIDC\1-1-MyOrg"
   - replace the `ClientID` value with the *Application ID* from the application you registered in Application Registration portal on *Step 1*.
   - replace the `TenantId` value with the *Tenant ID* where you registered your Application on *Step 1*.
   - replace the `Domain` value with the *Microsoft Entra domain name*,  e.g. contoso.onmicrosoft.com where you registered your Application on *Step 1*.
-
+  - replace the `ClientSecret` value with the *client secret* you created in the previous step.
+
 #### Option 2: Create the sample from the command line
 
 1. Run the following command to create a sample from the command line using the `SingleOrg` template:

1-WebApp-OIDC/1-1-MyOrg/Startup.cs

@@ -33,9 +33,10 @@ public void ConfigureServices(IServiceCollection services)
                 options.HandleSameSiteCookieCompatibility();
             });
 
-            // Sign-in users with the Microsoft identity platform
             services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
-            .AddMicrosoftIdentityWebApp(options => Configuration.Bind("AzureAd", options));
+                .AddMicrosoftIdentityWebApp(options => Configuration.Bind("AzureAd", options))
+                .EnableTokenAcquisitionToCallDownstreamApi() // This is needed to exchange the authorization code for an ID Token
+                .AddInMemoryTokenCaches(); 
 
             services.AddControllersWithViews(options =>
             {

1-WebApp-OIDC/1-1-MyOrg/appsettings.json

@@ -5,7 +5,13 @@
     "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
     "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
     "CallbackPath": "/signin-oidc",
-    "SignedOutCallbackPath": "/signout-callback-oidc"
+    "SignedOutCallbackPath": "/signout-callback-oidc",
+    "ClientCredentials": [ 
+      {
+        "SourceType": "ClientSecret",  // Secrets are weak credentials. Use certificates or federated credentials instead. See https://aka.ms/idweb/client-credentials
+        "ClientSecret": "[Enter you secret here]"
+      }
+    ]
   },
   "Logging": {
     "LogLevel": {