The quandry I have with verify email (and forgot password) is that if
the email click happens in the same browser it is in another tab. This
leaves the previous tab in an inconsistent state.
In master, I've just refactored Forgot Password to reset the main
browser to the login page, and clicking the email link allows you to
proceed with login. I'm wondering if we should do the same with Verify
Email? The main browser is reset to the login page (you have to enter
in your credentials again) and clicking on the email link allows you to
proceed with login irregardless of browser.
On 9/10/2015 3:15 AM, Thomas Raehalme wrote:
We are doing some testing regarding email verifications.
Everything seems to work great as long as the user keeps using the same
browser for every request (try to access a protected resource, register
a new account and click the email verification link).
If the user, however, registers with Firefox and the verification link
in email is opened to a different browser, say, Chrome, the user is
shown a message regarding successful verification and a link "Back to
application". The user is not redirected to the original protected resource.
If you read your email with a browser this is probably not going to
happen. But if your email client opens a different browser for any
reason, then it will break the process.
What do you think would it make sense to include the original
redirect_uri in the verification link to ensure that the user is
redirected back to the original protected resource? Or maybe you could
store the redirect_uri on the server next to the verification token?
keycloak-dev mailing list
JBoss, a division of Red Hat