I followed the quickstart guide: Quickstart: Sign in to users and get an access token in a JavaScript SPA using the auth code flow with PKCE. Everything works great until I add a localhost web redirect URI like http://localhost:3030. As soon as I do that, I get the error AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’. So, I figure that I then need to enable public client flows, so I turn that on. The next error I get is AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
I haven't changed my SPA redirect URI and suddenly it won't work when I add the localhost web URI. Why? It seems that other web redirect URIs work fine.