Hi @itcloudnet,
I have reviewed your code and noticed that when you get the access token by calling the /oauth/token endpoint, you do not inject the authorization code returned from logging in through the /authorize endpoint.
For example, it should look like this:
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data 'client_id={yourClientId}' \
--data 'client_secret={yourClientSecret}' \
--data 'code=yourAuthorizationCode}' \
--data 'redirect_uri={https://yourApp/callback}'
See Call Your API Using the Authorization Code Flow.
Secondly, I noticed that you have included the code_verifier parameter in your code implying the authorization code flow with PKCE, but is missing the code_challenge and code_challenge_method parameters in your /authorize request.
Be careful to use only one of these flows and not mix them up. If your app is Mobile or a SPA, you should use PKCE. Otherwise, use the regular authorization code flow for regular web apps.
There is also the Resource Owner Password Flow, which seems like the flow you are looking for. This is typically used when redirect-based flows like the Authorization Code flow cannot be used.
Let me know how this goes for you.
Thanks,
Rueben