The /login endpoint responds with a 303 redirect header, the value of the ‘Location’ header is the aforementioned URL. Here it is, with the sensitive information crossed out:
I was expecting the browser to be redirected to your sign in page, however I get a CORS error. Again I’ve crossed out the sensitive information:
Access to fetch at ‘https://dev-xxx.okta.com/oauth2/default/v1/authorize?scope=open&state=fd391a06-2ecc-4251-9224-cab2ab9c6fad&client_id=xxx&redirect_uri=http://localhost:8001/authorization-code/callback’ (redirected from ‘http://localhost:8001/login’) from origin ‘http://localhost:8001’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.
I was assuming that the application that I have set up from your control panel would mean that the correct CORS header would be sent by your server?
What step am I missing?