Why use auth code flow
Safari, along with other popular browsers following suit, has implemented an on-by-default privacy feature: Intelligent Tracking Protection (ITP). ITP blocks cookies from being sent across domains, thus breaking the standard pattern for implementing the implicit flow in single-page apps (SPAs), where silent iframes are used for single sign-on in the browser.
In response to browser cookie limitations, OAuth published a draft recommending that browser based applications now use the authorization code flow. The Microsoft identity platform now enables this through updates to our client library and Secure Token Server.
To take advantage of the latest recommended authentication flow in your browser-based application, follow the quickstart or tutorial. You will need to update your application to use the latest MSAL version and update your application registration in the Azure Portal.
-Microsoft identity platform team