Multiple policys sharing same key

Question

At the moment I having two workflows.

A custom one B2C_1A_signin_only, where user can login via the web interface.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="some_id"
  PolicyId="B2C_1A_signin_only"
  UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights"
  PublicPolicyUri="http://some_tenant.onmicrosoft.com/B2C_1A_signin_only">

  <BasePolicy>
    <TenantId><!-- ... --></TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>Local Account</DisplayName>
      <TechnicalProfiles>
        <!-- ... -->
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>

  <UserJourneys>
    <UserJourney Id="SignIn">
      <OrchestrationSteps>
        <!-- ... -->
      </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb"/>
    </UserJourney>
  </UserJourneys>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignIn" />
    <UserJourneyBehaviors>
      <!-- ... -->
    </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="OpenIdConnect" />
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="emails" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

A default one (Resource Owner Password Credentials) for a native app B2C_1_ROPC following the docs:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow

We recommend that you don't use the ROPC flow

I know, I read the docs ;)

But this will also give me two configuration urls:

• https://some_tenant.b2clogin.com/B2C_1A_SIGNIN_ONLY/v2.0/.well-known/openid-configuration
• https://some_tenant.b2clogin.com/B2C_1_ROPC/v2.0/.well-known/openid-configuration

With different kid. Our API Server can use only one configuration. But it should not matter where the jwt was generated. At B2C_1_ROPC or B2C_1A_signin_only.

So is it possible that the two workflow uses the same keys?

Or is it possible to implement the B2C_1_ROPC workflow into the custom B2C_1A_signin_only. So I can use the OAuth Legacy Grant Type Password Workflow as well.

https://oauth.net/2/grant-types/password/

Please provide examples in the custom xml or the manifest.json if changes need here.