Iframe custom connection authentication with same domains

We have 2 apps

  1. www.example.com (spa)
  2. oauth.example.com (php)
    SPA(1) button calls PHP’s(2) OAuth server : (oauth.example.com/oauth/authorize and oauth/token) which then calls our custom-domain and gets the token on third party enabled.
    When we embed spa in abc.example.net which is same as oauth.example.com (php) .
    & try to authenticate from embedded spa (www.example.com) from Origin (abc.example.net) on third party disabled. It throws too many redirects error. Although an API before /resume gives success response.

We have control on both oauth server, custom domains and SPA.

Can I have some insights, it’s a major blocker right now