I had the same problem.  You have add your ORIGIN (the location of the file that calls the Trello.authorize() to the list of "Allowed Origins" on https://trello.com/app-key .  After I included my origin, I no longer got the "Invalid return_url" response, and it returned the desired token.

Source of confusion:  The comments under "Allowed Origins" on https://trello.com/app-key refer to sites that "your application is allowed to redirect back to following the authorization flow."  That was a bit confusing to me.  The list should include sites you want to redirect back to IN ADDITION TO the sites you are calling Trello.authorize() from.

If you are thinking "I don't need a redirect" (and, in fact, I don't believe you can set a return_url when using client.js since you'll want your page to continue to render), then those comments under "Allowed Origins" could lead you to believe you don't need to specify anything there.  That would be incorrect.

Summary:  Even if you want NO post-authorization re-direct, you still have to list an ORIGIN.

A few other comments...
- Wildcards as Allowed Origins didn't work for me.
- You cannot specify file:// in Allowed Origins, so you cannot run your javascript off a local file.
- Specifying a return_url works if you call the URL (like 
https://trello.com/1/authorize?response_type=token&key=<YOUR KEY>&return_urli=<YOUR RETURN_URL>... ) yourself.  If you use client.js to generate the URL, you aren't able to specify a return url.
- If you want to reset things to experiment more, just revoking access on https://trello.com/<YOUR_NAME>/account doesn't clear the cache.  You also need to clear stored data for your original site by clearly it on (for Chrome) chrome://settings/siteData?search=cookies .