Hi Trevor,
It is indeed a bit of a mess and I couldn't find the problem from the code.
So, you successfully get the authorization code from the user, then, you send that authorization code to an AWS lambda function and from there you POST the authorization code to the ORCID token endpoint, is that correct?
I don't see how that could cause a CORS error, however, have you tried using the public API endpoint instead of the default one?
Lets try this, please go ahead and get an authorization code, then, exchange it using the following CURL:
curl -i -L -k -H 'Accept: application/json' --data 'client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&grant_type=authorization_code&redirect_uri={REDIRECT_URI_USED_TO_GET_AUTH_CODE}&code={AUTH_CODE}'
https://pub.sandbox.orcid.org/oauth/token
Please notice all the placeholders, change them for your client id, client secret, redirect uri and authorization code; if that works fine for you, update your code to use the same URL as the above CURL and try again; if you still get errors, please send me some screenshots and we can continue the discussion.
Ángel Montenegro
Tech lead