When the user clicked the "Log in" link, the URL of the
"oauth.authorize" endpoint was fetched via an async Promise-returning
method before the `window.open` call was made. This meant that the
`window.open` call did not happen in the turn of the event loop that was
triggered by the user action and so Firefox & IE's popup blockers deemed
the call to have happened outside the context of a user gesture and
prevented the window being opened.

Chrome, Safari & Edge have different heuristics and did not block the
popup before.

Fix the issue by opening the window directly when the user clicks on the
"Log in" button, at a dummy URL ("about:blank"), and then changing the
window's location once the authorization endpoint URL has been fetched.

Fixes #534