The OAuth process flow appears to have stopped working as expected and documented. Calling https://connect.squareupsandbox.com/oauth2/authorize, no longer returns the Square authorization page where a user may decide to allow or deny authorization. The *callback url *is returned with the results expected as if the user selected allow.
Further information
the same code worked as expected 48 hours ago
testing is being done with a sandbox account
the results are repeatable even when the authorize api is called from a browser
Are you changing the permissions? I believe if the merchant has already approved the application, and still has an active access token, if you request a new access token with the same permissions through the OAuth link it will just go straight to redirecting to your OAuth redirect URL with the new code.
Also, are you using short_lived? If so, then I don’t believe this would be expected. Otherwise, you should just be calling ObtainToken anyway, to get a new token, if their existing token is still active (or if you have a refresh token).