OK this is an open issue with Passport:
https://github.com/jaredhanson/passport/issues/582#issuecomment-506283986
I should use the href and not fetch.
Possible duplicate of
Cors error when sending request from React frontend to Google Oauth PassportJS on backend
solved Using fetch with Passport gets “No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”