Authentication Code flow

When i try to get an access token via the authentication code flow:

{"error":"access_denied","error_description":"Unauthorized"}

Here is the cloudflare worker for handling the callback:

export async function onRequestGet(context: WranglerContext) {
  const url = new URL(context.request.url)

  const code = url.searchParams.get('code')?.trim()
  const state = url.searchParams.get('state')
  if (typeof code !== 'string') {
    return new Response('Missing Code in Oauth redirect', {
      status: 500,
    })
  }
  if (typeof state !== 'string') {
    return new Response('Missing State in Oauth redirect', {
      status: 500,
    })
  }

  const formData = new FormData()
  formData.append('grant_type', 'authorization_code')
  formData.append('client_secret', oAuth.clientSecret)
  formData.append('client_id', oAuth.clientId)
  formData.append('code', code)

  const res = await fetch(`https://${oAuth.tokenUrl}`, {
    method: 'POST',
    headers: {
      'content-type': 'application/x-www-form-urlencoded',
      accept: 'application/json',
    },
    body: formData,
  })
  if (res.ok === false) {
    return new Response(await res.text(), {
      status: 500,
    })
  }

  const body = await res.json()
  if (body.access_token) {
    return new Response(body.access_token, {
      headers: {
        'content-type': 'text/plain',
        'Content-Encoding': 'gzip',
      },
    })
  } else {
    return new Response(body.error, {
      headers: {
        'content-type': 'text/plain',
        'Content-Encoding': 'gzip',
      },
    })
  }
}

And the oAuth config:

export const oAuth = {
  authUrl: 'toddle.eu.auth0.com/authorize',
  tokenUrl: 'toddle.eu.auth0.com/oauth/token',
  clientId: 'OBmnCfIV2h8DSvC3YZGaeH7n0NFniEeP',
  clientSecret: its a secret,
  callbackUrl: 'http://localhost:8788/login_callback',
}

I the application is set to regular web app, I have checked that grant type Authorization code is allowed, and I am seeing “Successful Login” in the logs after each attempt.

Here is the code generating the authorize request:

const redirectUrl = (state: string) =>
  `${oAuth.authUrl}?response_type=code&client_id=${
    oAuth.clientId
  }&redirect_uri=${
    oAuth.callbackUrl
  }&scope=openid%20profile%20email&state=${encodeURIComponent(state)}`