I'm currently attempting to reimplement MagicISRC to use /ws/2, due to MBS-9619 (tracking issue)

I would like to avoid having the user provide their login & password on my page (even if I'm not storing it), so I'm attempting to implement the OAuth login flow in client-side javascript. The current blocker to this is that I cannot retrieve the token following the redirect, because the /oauth/token endpoint does not send an Access-Control-Allow-Origin header which would allow this.