In our Auth\LoginController we proxy from /login to /oauth/token so that a global Client ID and Secret can be injected without exposing them on the frontend.

This really needs to be fixed. One potential method would be using Passport's Code Grant with PKCE, but it may be easier to use Sanctum with its cookie-based SPA Authentication instead.