open_id: This is a scope, not a response type. You probably mean id_token
code: Means that the app service is doing the Authorization Code flow. It uses the returned code to exchange it for the actual access token.
As far as I understand, you are using built in AppService authentication. You probably don't need to change how AppService authenticates you. There is a good tutorial for it, but basically all you need to do is to call GET /.auth/me in your SPA to receive the tokens. GET /.auth/refresh will refresh the tokens, if it is properly set up.
GET https://xxx.azurewebsites.net/.auth/me
[
{
"access_token": "...",
"expires_on": "2020-03-20T09:49:01.0000000Z",
"id_token": "ey...",
"provider_name": "aad",
"refresh_token": "...",
"user_claims": [
{
"typ": "foo",
"val": "bar"
},
...
],
"user_id": "..."
}
]
If you really want to try messing with the built in authentication, you can try changing this (taken from the "refresh" instructions mentioned above). You might need to do part of this anyways because of the refresh feature.
Azure Active Directory: In https://resources.azure.com, do the following steps:
1. At the top of the page, select Read/Write.
In the left browser, navigate to subscriptions > resourceGroups > > providers > Microsoft.Web > sites > > config > authsettings.
Click Edit.
Modify the following property. Replace with the Azure Active Directory application ID of the service you want to access.
"additionalLoginParams": ["response_type=code id_token", "resource=<app_id>"]
