[keycloak-user] redirectUri gets lost when opening email verification link in new browser (since authSession gets lost)

Christoph Tavan christoph at contentpass.de
Thu Jul 26 10:24:26 EDT 2018 

Hello Keycloak Mailinglist,

I'm struggeling with getting user registrations that requires email verification to work in a native app context.

In my test setup I have a native (iOS) mobile app that includes OIDC authentication. Normal login works perfectly: The Keycloak login form is opened in a webview, the user logs in and redirects back to an app link which the native app can handle, all good.

Things don't work that smooth when a user wants to register within the webview. Here's what happens to my understanding:

1. Webview is opened, Keycloak creates a new authSession where the redirectUri (from the redirect_uri url query parameter) is stored.
2. User registers, verification email is sent.
3. User clicks on the email verification link which opens in the system browser where the authSession of the app's webview is obviously not present. The user is presented with the confirmEmailAddressVerification verification and clicks the proceedWithAction link.
4. Email is now verified. However, since the original authSession that was created in the webview and that contained the redirectUri is not present in the system browser, the user is now presented with a link to the baseUrl of the client instead of the app-url that was originally passed as redirect_uri to the initial authorization request. I have tried to configure the app url as "Base URL" in the client, but this doesn't get rendered in the view. Instead the "back to application" link points to /auth/realms/REALMNAME/account

I think this whole problem is not specific to the native app use case: we would have the same issue if the registration process is started in one browser and the email verification link is opened in a different browser where the initial login authSession is not present.

Has anyone ever gotten this to work? I.e. continuation of a registration flow in a new browser session which was different from the session where the registration began?

Thanks
Christoph

More information about the keycloak-user mailing list