I’m sorry if I’ve come across as rude or unhelpful, but insecure practices are a massive issue and getting rid of them a personal priority of mine. Security needs to be an integral part of the development and design, not an afterthought.
The last code you pasted looks correct. The response is documented as
{
"access_token": "0123456789abcdefghijABCDEFGHIJ",
"refresh_token": "eyJfaWQmNzMtNGCJ9%6VFV5LNrZFUj8oU231/3Aj",
"expires_in": 3600,
"scope": "viewing_activity_read",
"token_type": "bearer"
}
Specify dataType: 'json' and you can count on the response being this type of javascript object as your success function’s first parameter. But again, a purely client-side application should be using implicit code flow for both security and convenience.