After sending our app for the review, we got such feedback Use OAuth to ask for scope permissions immediately after someone adds your app. Refer to our guide on authentication on install and review this example of what the required installation flow looks like.
We checked our app's code and instructions under https://shopify.dev/tutorials/authenticate-with-oauth, and the only place that has left unclear is related to Ask for permission section. Could you please confirm if we have to place our API endpoint under app URL path on Partners Dashboard that would handle authentication process on our side using query params passed (hmac, shop, timestamp)?
We just want to be sure if the feedback that we got is related to the flow described above or not, to not send the app for a review too frequently.
What they are saying is that the first screen you should see after pressing 'Install App' should be the auth page.
Check out the steps on the Shopify Python library if you want a step by step process to what you need to do.