It seems like when a TokenError is generated, it isn't passed the status code that was generated by the upstream service. This can be seen in OAuth2Strategy#parseErrorResponse. It should pass the status parameter through to the TokenError constructor as the 4th parameter. As a part of this, the default status code created by TokenError should be 400, not 500, as it looks like the default error code is invalid_request, which maps to the former instead of the latter.