Verification E-Mail / Link leads to Zitadel profile page

[aheissenberger]

Problem:
The user is not redirected to the page he intended to go after the registration process when clicking the link in the email verification email.

User Flow:

1. A User clicks on a Link which requires Authentication
2. the Application adds the link clicked by the user to the state parameter of the OAuth call to the Zitadel Login Form
3. the User choses the signup process
4. receives an E-Mail with a code to verify the email

Now there are 2 possible next Steps:
A.) User copies the Code from the E-Mail to the Form on the webpage

1. the user is presented with a login form
2. the user will be redirected to the callback which was provided with the call to the login form
3. the application can grab the original link the user tried to access from the state and redirects the user to the page

B.) User clicks on the link in the e-mail

1. the user is presented with a login form
2. the user will be redirected to the Zitadel User Profile Page

I know that I can set a default page on organisation and/or instance level (/ui/console/org-settings?id=login) which will be used but this does not solve the problem that the callback of the original OAuth process is not called and the user is not getting redirected to the page he intended to go.

[fforootd]

Hm can you elaborate this:

I know that I can set a default page on organisation and/or instance level (/ui/console/org-settings?id=login) which will be used but this does not solve the problem that the callback of the original OAuth process is not called and the user is not getting redirected to the page he intended to go.

Or is it simply that the activation flow does not respect the default redirect url?

[hifabienne]

I think it is about having the authrequest id included in the link, so we can redirect the user to the correct starting point. This would also be beneficial in the password reset process.
I talked about this with @livio-a about two weeks ago, but not sure what the state is currently.

The problem we would have when including the authrequest id in the email, and the user does use a different device, for example starting the flow on a desktop, and then pressing the link on the mobile phone, it would result in an error. as the auth request is bound to a device and should be finished there.

[aheissenberger]

Having a working solution on the same device/browser would help.

Is the problem with the device bound a Zitadel problem or a problem of the app handling the callback?
I would understand that an evaluation with a browser client (e.g. React App) will fail on a different device or browser (some user open a different Browser from their E-Mail Client). A backend should be able to handle a session between multiple devices if the state contains the session key.

A modern approach would be to send a Server-Event or Websocket Message to any open E-Mail Verification Code Form if the Verification is done on an other device. This would allow to stay in the auth flow on the device where the registration was started but does not cover the case that someone has closed the original window/browser with the registration flow and klicks on the link in the email at a later point in time.

[aheissenberger]

@hifabienne I suggest you to take a look at how Vercel is handling this process:

1. in the browser, they show a code (e.g. "Elegant Howler Monkey") on the screen for verification
2. ask the user to compare this code with the code the user receives in the email
3. a click on the button "VERIFY" will open a page in the browser with an info that the verification was successful and that this tab can be closed. There is no need to enter any code!
4. the original browser tab with the code (step 1) gets automatically redirected to the next step e.g. the target page requested by the user

• This process works if different devices or browsers are used
• it forces the user to do the email verification immediate to continue and will still work if done later and avoids the handover of the redirect by closing the tab after verification

[livio-a]

Hey @aheissenberger

Yes the problem relates to the device bound problem, esp. the current login UI is not easy to change.
A working solution for the same device will be available shortly: #7815