There is really nothing to the app at the moment; this issue came up as we were trying to connect to an existing API. The API is part of an existing system that we cannot share with you.
We could set up a hello world API but in the short term I can describe it's setup which may shed some light:
The API uses an Azure AD App Registration with normal grant flow (Client ID and Secret).
This client (and other clients) use a separate Azure AD App Registration, which in this case is set to use implicit grant flow (Client ID and Reply Urls).
The client App Registration is granted permissions to access the API (using the Required Permissions section in Azure AD). This is the trusted sub-system model I previously mentioned.
This is the point where we hit the infinite loop trying to authenticate.
What seems to also be missing is how to configure the fact that the we want to get a particular scope permission from AD (to call the API). So even if we did manage to authenticate, the token sent to the API would not be correct.
Just to try, we altered the API to allow Implicit Grant flow and altered the app configuration to match. The result was the same, an infinite loop with the IFrames.