Thanks @nils,
The important thing here is what is happening in the browser, as that is where CORS errors may pop up.
I can see in your screenshot of the Network tab above that the request to /authorize
is being initiated by “turbo”. I’m not familiar with that library but from reading https://turbo.hotwire.dev/handbook/introduction#turbo-drive%3A-navigate-within-a-persistent-process it looks like it may be attempting to do a cross-origin fetch of /authorize
, which is not supported.
The OAuth 2.0 authorization endpoint is not designed to be called programmatically (for example using xhr
or fetch
request from Javascript) so you will need to disable Turbo for /authorize
for this to work.