Express-openid-connect response_type: code = 400 access_denied

I’m using the nodejs express sample app generated that uses: GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.

  1. I have a regular web application in auth0
  2. I downloaded the sample app, and it works out of the box fine
  3. My app needs to get an accessToken so I followed the directions about response_type: code in the auth config (below)
  4. Now after successful login, and consent the redirect fails at /callback with a 400 and access_denied
  5. auth0 logs show a Failed Exchange error of Unauthorized
  6. the app’s token endpoint auth method is POST

I’m not sure what to do here or what the issue is.

const config = {
  authRequired: false,
  auth0Logout: true,
  clientSecret: process.env.SECRET,
  authorizationParams: {
    response_type: 'code',
    scope: 'openid profile email read:whatever',
    audience: 'https://my-email-test-service',
    prompt: 'consent'
  } 
};

The 400 unauthorized is displayed on this uri

http://localhost:3000/callback?code=SditZiRrQswFl1bLW8veGnwsveNbxIxxxxxxxx&state=eyJyZXR1cxxxxxxxxJ9`

fixed this by ensuring that clientSecret is the CLIENT_SECRET… not the rando SECRET value that the app generates in the sample app