Thank you for the feedback, @dan !
I was able to add URLs via "Applications" -> "My Application" -> "OAuth" which made the DENY go away. However, now, no one can log in. It just redirects back to the login. I am not sure if it is the same issue as this since it does not go through an HTTP url.
Although I am testing from a browser, the other issue is that the frame is embedded in a desktop application. It doesn't use a an "http" origin url which means I cannot add it as an authorized origin.
Would this mean proxy is the only option we have?