I have a login button in my JavaScript application that makes a restful request to my http://localhost:8001/login endpoint. This endpoint constructs a URL from the ORG_URL, CLIENT_ID and REDIRECT_URI variables as described in your ‘Use the Authorization Code Flow’ documentation.
The /login endpoint responds with a 303 redirect header, the value of the ‘Location’ header is the aforementioned URL. Here it is, with the sensitive information crossed out:
Thanks! Actually, I’ve just checked the system logs and the first two failures were due to an erroneous leading space character in the redirect URL, which I’ve now corrected. The last time I tried, the error was ‘unsupported_response_type’. I wonder, if that is related? Anyway, I shall add the trusted origin. I had assumed that it was calculated from the redirect or callback URLs that I supplied. Thanks again.
Ah! My mistake, I see that the response_type parameter should be set to ‘code’. Still a CORS error, though. Now the error is ‘no_matching_scope’. I have the scope parameter correctly set to ‘openid’, I believe.
So the problem was that my /login endpoint was being called restfully rather than via a standard link. What also threw me off was that your /authorize endpoint was immediately redirecting rather than showing your sign in page. I have yet to work out why this is.
The /authorize endpoint is not CORS enabled and it requires a redirect in the browser instead of an ajax call. If you would like to prevent this request, you can use post message as exemplified here.