Hey @SaqibHussain ,
you were totally right. My test was somehow broken. With your test with the unauthorized callback URL, the redirect worked correctly.
It also now works with an old password reset link, which is now expired.
I somehow expected, that I would also get an error page, when I try to reuse a link, that has already been used. But instead, it basically works and I get redirected to the app like when I just changed the password. Auth0 seems to know, that the link was already used successfully and therefore just sends me to the app.
Thanks for the clarification. Have a nice week.
Kind regards,
Pascal