The login code supports a pop up instead or redirect, but most browsers now block this, so the redirect is required. Security is also blocking iframe implementations.
If the hosting server supports authentication, you can do a simple api call to get a token instead of the oauth flow.