(tested on RH-SSO 7.2.4)
The following steps reproduces the bug:
1. Register a user with a client DIFFERENT from account, for example on a URL like this:
Notice that the URL contains client_id=my-client.
After registration, an verification link is sent to the registered e-mail. The link is as follows:
Notice that client_id is preserved.
Now, if the user uses the same browser and opens that link, everything is fine.
If the user changes browser, for example because he went on a bus, uses his phone for email cheking, his email client prefers another browser etc, he is presented with another page, on which he has to click Proceed. The link behind that is:
Notice that the client_id is wrong, it is changed to "account" (which I guess is default).
Then the user ends up a totally unexpected place, and (for our case) is lost.
The error, I believe, is in org.keycloak.authentication.actiontoken.verifyemail.VerifyEmailActionTokenHandler#handleToken.
Here it seems, if the authSession is new, the client id is not copied from the URL.