Hi @ian.macrae
The /authorize endpoint is not CORS enabled and, as such, requests to it will always be blocked by the browser due to Same-Origin policy.
In order to access the /authorize endpoint successfully, you can either redirect the user to Okta to get authorized or use postMessage() as exemplified here.