Hi,

We are doing some testing regarding email verifications.

Everything seems to work great as long as the user keeps using the same browser for every request (try to access a protected resource, register a new account and click the email verification link).

If the user, however, registers with Firefox and the verification link in email is opened to a different browser, say, Chrome, the user is shown a message regarding successful verification and a link "Back to application". The user is not redirected to the original protected resource.

If you read your email with a browser this is probably not going to happen. But if your email client opens a different browser for any reason, then it will break the process.

What do you think would it make sense to include the original redirect_uri in the verification link to ensure that the user is redirected back to the original protected resource? Or maybe you could store the redirect_uri on the server next to the verification token?

Best regards,
Thomas