Redirect to external site in a plugin?

I’m trying to call an external URL to log in to a remote site after users log in to Discourse. All I need to do is redirect to a URL on the remote site, which does the login there, and then redirects back to Discourse. When I do, the browser refuses to redirect because or CORS:

Access to XMLHttpRequest at 'https://SITE/api/sso/v2/sso/jwt?' (redirected from 'https://testing.literatehosting.com/session') from origin 'https://testing.literatehosting.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Developers on the app say that it’s because I’m doing the redirect wrong (e.g., with an ajax call?), but this looks the same as, say, what I see in commits mentioned here.

I’m (once again) stumped.

I can’t tell if I’m just stupid or whether they need to be sending Access-Control-Allow-Origin headers (and if that’s the case, then this can’t be working for any of their clients? which seems far-fetched).

Here’s my code:

after_initialize do
  class ::SessionController
    def login(user)
      puts "\n\n\n\LOGIN happening!\n\n\n\n"
      session.delete(ACTIVATE_USER_KEY)
      log_on_user(user)

      if payload = cookies.delete(:sso_payload)
        sso_provider(payload)
      else
        if true # plugin is enabled and has api key and url
          sign_into_thinkific(user)
        else
          render_serialized(user, UserSerializer)
        end
      end
    end

    def sign_into_thinkific(user)
      # do stuff to generate payload

      redirect_to thinkific_sso_url(payload) # also tried redirect_to 
 generate_url(thinkific_sso_url(payload))

    end

    def generate_url(url, params = {})
      puts "\n\n\nGenerate URL: #{url}\n\n\n"
      uri = URI(url)
      uri.query = params.to_query
      uri.to_s
    end

    def thinkific_sso_url(payload)
      current_url="https://#{GlobalSetting.hostname}/"
      url = "https://#{SiteSetting.thinkific_site_url}/api/sso/v2/sso/jwt?jwt=#{payload}"
      url += "&return_to=#{URI.escape(current_url)}" 

      url
    end

  end
end

EDIT: The developers shared a Rails app that uses redirect_to just as I am and they claim that it works. Is there something about Discourse that makes it do something different with a redirect_to because it’s. . . inside Ember, or something?

Sure there is something simple that I’m missing here. My latest incantation is to try

      url = thinkific_sso_url(payload)
      redirect_location = "<!DOCTYPE html><html><head><meta http-equiv=\"Refresh\" content = \"5; url='#{url}'\" /></head><body>This is my body</body></html>"
      Rails.logger.info "REDIRECTING... #{redirect_location}"

      render plain: redirect_location

If I save the text that is redirect_location to a file and open it in my browser, I get logged in to thinkific and I’m redirected to Discourse. Sadly, the same doesn’t work when I click login in my browser.

Can anyone throw me a bone?