Please post the original authorization request (/authorize) you’re making from within your app. What OAuth2 grant type are you using? Or are you entering this URL you mentioned directly in the browser like this?
Curious: where did you get this info from that you’d should be calling the /login url, or why are you calling it int he first place?
You can refer to the Authentication API docs and check the correct API endpoint, depending on the grant type you’re using.
The URL is not right, firstly, it’s not login but should be authorize, and also the parameters in the Harusa docs aren’t correct, for example it should be client_id and not client. Please take a look at the docs I linked, there’s is an exact example given, also add a nonce, then it works. I just tested it.