Your snippet indicates that you are using XMLHttpRequest. Calls to /authorize
can never be made with XMLHttpRequest. They should only be made via a redirect or other top-level browser navigation and this is why CORS is not supported at that API.
Please check this similar question where I explained this in a bit more detail Received CORS issue trying to reproduce quickstart demo in Rails - #4 by luuuis
Hope this helps.