PKCE Verification Fails

I have a pre-existing FusionAuth integrated application that uses Authorization Code successfully. For safety reasons I'm adding support for PKCE.

I've added code_challenge and code_challenge_method to the authorize url, so it looks like this:

https://.../oauth2/authorize?client_id=...&tenantId=...&redirect_uri=.../authcallback&response_type=code&scope=openid&state=...&code_challenge=...&code_challenge_method=S256

Upon response to callback, the code is then sent back to FusionAuth in the Token request, adding the code_verifier:

POST /oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ...
Connection: close
Content-Length: 241

client_id=...&redirect_uri=...%3A3000%2Fauthcallback&code=...&code_verifier=...&grant_type=authorization_code

The response is a 400 Bad Request with the following body:

{"error":"invalid_request","error_description":"Invalid Authorization Code","error_reason":"auth_code_not_found"}

I've created a Generic Connector, based on the articles/posts below. I'm returning the basic user data (id, e-mail, active, etc). I'd like to include Roles as well for the user object, is this possible? If so, how? Thanks.

• https://fusionauth.io/docs/v1/tech/connectors/#migration
• https://fusionauth.io/blog/2020/10/14/how-to-migrate-user-data-centralized-auth-system/