Hi Prathap Dasari,
I would like to know which flow you are referring OAuth code flow or client-credential flow?
1.OAuth code flow used when the client application needs to access the user’s resources on behalf of the user. In this flow, the user is redirected to the authorization server, where they authenticate and grant permission to the client application. The authorization server then returns an authorization code to the client application, which is exchanged for an access token that can be used to access the user’s resources. For this flow we need openid,offline_access,profile
2.Where Client-credential flow used when the client application needs to access its own resources, rather than the resources of a user. In this flow, the client application sends its own credentials (client ID and secret) to the authorization server, which returns an access token that can be used to access its own resources./.default
scope allows the application to request all the permissions defined in its Azure AD app registration.
As you provided code snippet you are passing API//{ApplicationID}/.default
scope which means you are referring client-credential flow. But under const token request block you mention scope as user.read
and mail.read
which referring authorization code flow. To use the client-credential flow, need to remove this block.
For browser-based application, you need user interaction for which you require authorization code flow. In this case, need to remove /.default scope.
Thanks,
Navya.