I’ve just come across Redirect to onboarding flow after sign up (or first log in)? - #21 by dan.woda which may solve this, although I assume that added claim will be in the token until user performs another login?
That may work for our use case, but I’m wondering if there are instances where an auth flow does not require a login and user lands on the callback URL, where we incorrectly consume that as a new sign-up.