I have the same issue. And @Gregory Goijaerts with oauth2 there is notion of a secret when you redirect the user to the oauth page where people log in.
It's simply the following, as documented here: https://doc.bunq.com/#/oauth
This is only possible when:
1. You've created a new user using the tinker app.
2. You're using the sandbox Android app APK (using a phone OR browserstack live app feature, this is what I did, pretty sweet!)
3. You've added the oauth2 connection, and entered the redirect urls and recorded the app client id and secret.
4. Then, you use the and endpoint for this: https://oauth.bunq.com/auth or https://oauth.sandbox.bunq.com/auth <- this one does not work and just simply redirects you to bunq.com home page.. is this a bug? Also I have never seen the link in the docs anywhere.
The problem here is that when you use the sandbox, you actually do not know which endpoint to use for the oauth connection (it's not in the documentation).
PS: I don't know what to do as I have the same issue as @Hossein. So, what is the correct oauth link for bunq when you use the sandbox and have followed the steps as I've mentioned above.