We’re having some issues in our password rest flow, once the user completes the password reset flow they are automatically logged into the application via PKCE as the state is replayed.
We’ve removed the client_id from the url in the email and are still experiencing the same issue. We want users to end up on /password/complete.
I’ve taken a look at steps here posted by @dan:
Are they out out date?