[keycloak-dev] Email verification and redirect_uri

[Bill Burke]

The quandry I have with verify email (and forgot password) is that if 
the email click happens in the same browser it is in another tab.  This 
leaves the previous tab in an inconsistent state.

In master, I've just refactored Forgot Password to reset the main 
browser to the login page, and clicking the email link allows you to 
proceed with login.  I'm wondering if we should do the same with Verify 
Email?  The main browser is reset to the login page (you have to enter 
in your credentials again) and clicking on the email link allows you to 
proceed with login irregardless of browser.


On 9/10/2015 3:15 AM, Thomas Raehalme wrote:
> Hi,
>
> We are doing some testing regarding email verifications.
>
> Everything seems to work great as long as the user keeps using the same
> browser for every request (try to access a protected resource, register
> a new account and click the email verification link).
>
> If the user, however, registers with Firefox and the verification link
> in email is opened to a different browser, say, Chrome, the user is
> shown a message regarding successful verification and a link "Back to
> application". The user is not redirected to the original protected resource.
>
> If you read your email with a browser this is probably not going to
> happen. But if your email client opens a different browser for any
> reason, then it will break the process.
>
> What do you think would it make sense to include the original
> redirect_uri in the verification link to ensure that the user is
> redirected back to the original protected resource? Or maybe you could
> store the redirect_uri on the server next to the verification token?
>
> Best regards,
> Thomas
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com