So, a few things I just discovered, although I’m not getting the exact same error as you (I couldn’t reproduce it in a “clean” setup after all). The whole flow should work fine locally without changes. However, when an env set to production, make sure that you set up:
app.set('trust proxy', 1); // critical for heroku and some other providers
sess.proxy = true
Also, make sure you have state: true in your Auth0Strategy object.
Please let me know if it helps.