We have found a workaround for the problem. In short: Use deeplink callback url.
Steps required:
- setup deeplinks for the app (see here how to set up deeplinks in in capacitor)
- making the callback page reachable via deeplink
- and then provide the deeplink based callback url as redirect url during authorization