Hi Lucas,
You'll want to build your application as a provider application, not patient (you'll have doctors sign in, not patients). You have the correct FHIR URL for that, but are using an incorrect authorization URL. The FHIR URL should start with fhir-ehr. See:
http://fhir.cerner.com/millennium/dstu2/#secure-sandbox
We do not allow the launch/patient scope for providers, and your application won't be able to use the launch scope either, since it's standalone. Your application will need to use all user/* scopes since the authorization server will not have context of the patient being acted upon. Also, your application would need to implement patient search using our Patient resource. Ideally, we would support launch/patient for provider, but the workflow above would allow your app to function in absence of that support.
The ACAO issue is interesting - we do support CORS, but it requires that the CORS headers the browser sends are in place. Since this is browser-side, have you tried opening developer tools to see what is being sent and returned from the calls the javascript is making? Are you using the fhir-client.js library, as mentioned
here (so you don't need to write your own OAuth/SMART)? Also, while the authorize URL needs to be made in a browser for the user to enter credentials, there's nothing that would prevent the token call from happening server-side.
Credentials are documented in the code console for providers (portal/portal). Right now, your application is hitting the patient sign in, so those credentials won't work. If the app uses the token and authorize endpoints from the FHIR metadata, you'll be sent to the provider sign in page.
~ Jenni