Update tutorial-v2-javascript-auth-code.md

hamiltonha · web-flow · commit 0b02d75a581e · 2020-04-24T12:50:09.000-07:00
diff --git a/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md b/articles/active-directory/develop/tutorial-v2-javascript-auth-code.md
@@ -325,12 +325,6 @@ Create a new .js file named `authConfig.js`, which will contain your configurati
    scopes: ["User.Read", "Mail.Read"]
   };
 
-   // Add here scopes for token to be fetched silently
-  const silentRequest = {
-   scopes: [msalConfig.clientId, "User.Read", "Mail.Read"],
-   forceRefresh: false // set this to "true" if you would like to skip a cached token and go to the server
-   };
-
 ```
 
  Where:
@@ -494,7 +488,7 @@ function readMail() {
 <!--start-collapse-->
 ### More information
 
-After a user selects the **Sign In** button for the first time, the `signIn` method calls `loginPopup` to sign in the user. This method opens a pop-up window with the *Microsoft identity platform endpoint* to prompt and validate the user's credentials. After a successful sign-in, the user is redirected back to the redirect URI registered. A token is received, processed by `msal.js`, and the information contained in the token is cached. This token is known as the *ID token* and contains basic information about the user, such as the user display name. If you plan to use any data provided by this token for any purposes, you need to make sure this token is validated by your backend server to guarantee that the token was issued to a valid user for your application.
+After a user selects the **Sign In** button for the first time, the `signIn` method calls `loginPopup` to sign in the user. This method opens a pop-up window with the *Microsoft identity platform endpoint* to prompt and validate the user's credentials. After a successful sign-in, `msal.js` initiates the [authorization code flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow). At this point, a PKCE protected authorization code is sent to the CORS protected token endpoint and is exhanged for tokens. A ID token, Access token, and Refresh Token are received, processed by `msal.js`, and the information contained in the token is cached. The *ID token* and contains basic information about the user, such as the user display name. If you plan to use any data provided by this token for any purposes, you need to make sure this token is validated by your backend server to guarantee that the token was issued to a valid user for your application. The *Refresh Token* is limited lifetime and expires after 24 hours. This token can be used to silently acquire new *Access Tokens*. 
 
 The SPA generated by this guide calls `acquireTokenSilent` and/or `acquireTokenPopup` to acquire an *access token* used to query the Microsoft Graph API for user profile info. If you need a sample that validates the ID token, take a look at [this](https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2 "GitHub active-directory-javascript-singlepageapp-dotnet-webapi-v2 sample") sample application in GitHub. The sample uses an ASP.NET Web API for token validation.
 
