Add auto_token client option

Add an auto_token client option to change the flow such that the
token will be sent back to the client directly by the browser.
There are a number of "TODO" messages in this commit which will
hopefully be addressed in code review. I'm not sure if they're
needed.