oauthToken shouldn’t be used from a browser. You should use webAuth.login for login and webAuth.checkSession for getting new tokens. You’re seeing the CORS errors because, once the Legacy Lock API is disabled, the oauth/token endpoint will only work for native/backend clients, where there’s no CORS issues.