We are doing some testing regarding email verifications.
Everything seems to work great as long as the user keeps using the same
browser for every request (try to access a protected resource, register a
new account and click the email verification link).
If the user, however, registers with Firefox and the verification link in
email is opened to a different browser, say, Chrome, the user is shown a
message regarding successful verification and a link "Back to application".
The user is not redirected to the original protected resource.
If you read your email with a browser this is probably not going to happen.
But if your email client opens a different browser for any reason, then it
will break the process.
What do you think would it make sense to include the original redirect_uri
in the verification link to ensure that the user is redirected back to the
original protected resource? Or maybe you could store the redirect_uri on
the server next to the verification token?