I totally forgot about this.
The issue within our applications this was originally causing grief for went away when we changed our internal link from the Auth0 User ID (my preference) to the Auth0 email address. So the duplicate accounts on Auth0 would still link to the same account within our product. So the issue I described above wasn’t a bother to me anymore.
That said.
No, I never got a response to that. It’s almost 2 years old now. Your steps make it sound like they may have addressed my issue by not sending the email during a forgot password flow. Which is correct. It shouldn’t.
As far as Auth0 simply saying “we sent you an email” even though they didn’t. This is a gray area in the login land. One the one hand it’s confusing to the user to say they did something but did not. On the other hand its a security feature.
If the form told the user details about the account they entered it could be used by anyone to siphon user emails out of your system. You’ll see similar tactics on login pages. A failed login should not tell the end user “the password was wrong” or “that email does not exist in our system”. As helpful as those are to the user, they’re easy vectors for someone to collect information about your users.
Auth0 is going the secure route, which they should. Hopefully you don’t have too many users actually fall into this case.