Hello again, I think I might have found the bug by looking at the source code and my tokens. I'm looking at this file: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... . Especially lines 102 and 107. The token from the verification mail contains this: "asid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee" This contains the right client id ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient). When I open that link, the code in lines 78-93 is triggered creating yet another token with a compound session id. That token looks like this: "oasid": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee", "asid": "9449b12e-9364-43d9-a4ab-3f29e9fe1bdb.KbiccXfmQyE.453f147b-011f-4b40-a8c4-6bdac6eabc85" "compoundOriginalAuthenticationSessionId": "f8deaf74-0ea9-4e0d-bc4d-70e9f4ed45ae.Jm9X3YfsiBg.bf56158d-3e48-4ece-bb17-48c5143204ee", You can see the client id in 'oasid' is ' bf56158d-3e48-4ece-bb17-48c5143204ee' (myclient) while in 'asid' the client id '453f147b-011f-4b40-a8c4-6bdac6eabc85' points to the "account" client! Now when I click the link with this token, lines 102-110 are triggered. There it checks whether the original authentication session id is present (is is) and then proceeds to the form with the *current* authSession. The current auth session will be taken from "asid" which features the wrong client "account"! A potential fix might be to use the original authentication session in line 107 instead of the current one. Is there anything I can do about this bug? Right now this means all users opening the mail in a new browser window/on a different device will be stuck on their accounts page and don't get back to the client they registered from. Best, -Matthias Am 03.09.18, 18:30 schrieb &quot;keycloak-user-bounces(a)lists.jboss.org im Auftrag von Matthias Kesternich" <keycloak-user-bounces(a)lists.jboss.org im Auftrag von matthias.kesternich(a)moneymeets.com&gt;: Hello, if I perform the following steps, then the redirect_uris that are sent upon registration are just ignored: 1. Register user with redirect_uri=myapp 2. Receive the verification mail 3. Clear your browser cache or switch to another browser. This step is very important! 4. Open the link from the verification mail, see a tab open with the right redirect_uri in the url bar 5. Click the button. 6. Another registration verification tab opens which features redirect_uri=account 7. Click the button 8. Get redirected to the login form with redirect_uri = account 9. Login 10. Get redirect to the account page instead of myapp . Is this expected behavior? I also noticed that if you clear your browser cache then keycloak will show an additional screen for verification of the e-mail address plus the login screen. If I don't clear the browser cache I only get one verification screen and I am then redirected to my application. Should I file a bug report? Best, -Matthias _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user