Yah I have also tested this, as my user is created by management api, so application.callback_domain is always empty and its always redirecting to the default url which seem logical according to the expression. But if it always redirect to default then what is the necessity to use application.callback_domain. Again the same user is using from different application as SSO concept, its not possible to put default url as every application have different redirect url.
This is completely wrong architecture design by the Auth0 architect. When a user using Auth0 login flow from an application, obviously request is using dedicated client credential. So Auth0 know which client, so instead of taking the url from that application specific allowed url which is configured in Auth0, why its picking url from user’s associate application?
User shouldn’t be relate to any application when it’s creating because you never know from which application you gonna use that user.