I have the exact same problem. Moreover, in my case I also have access to the OAuth2 server logs and I can see in there there Auth0 successfully does a call to exchange the code for a token, than successfully requests user information and than it does NOT try to exchange the code again (which would rightfully produce the invalid code error), but for some reason the invalid code error is shown…