Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

With the newly-supported UPDATE_EMAIL Application-Initiated Action (documented here), we can trigger the "update email" flow from within our application.

This is very similar to UPDATE_PASSWORD. In fact, from the app's POV, there isn't any difference between invoking UPDATE_EMAIL and UPDATE_PASSWORD: You redirect to the OIDC authorization endpoint with kc_action set, Keycloak takes over for a while and guides the user through some process, and in the end, Keycloak redirects back to the app's OIDC callback URL.

However, with UPDATE_EMAIL, when the user is finally redirected back to the app after having verified their new email address, all OIDC parameters are missing. The callback endpoint is invoked without any parameters, like https://my.app/oidc-callback.

Version

26.4.6

Regression

[ ] The issue is a regression

Expected behavior

When clicking the link in the "Verify new email" email, and then "Back to Application" on the Keycloak success screen, Keycloak should redirect to the OIDC callback with correct parameters (just like after a normal login).

If the user clicks on the "Verify new email" link when they are not logged in in Keycloak (e.g. they open it in a different browser, or at a later time), then the verification still succeeds (this is correct).
Clicking "Back to Application" should then ideally first go to the Keycloak login screen (without going through the app at all), and only then redirect back to the app with correct OIDC params.

Actual behavior

After a user confirms their new email address, they are redirected to the app's OIDC callback without any parameters.

The app then likely shows an error to the user, since this scenario is not valid (should never happen) according to the OIDC spec.

How to Reproduce?

1. Enable the UPDATE_EMAIL feature for a realm with email verification turned on.
2. Create a simple web app using OIDC / Keycloak (all standard).
3. Log in to the app via Keycloak.
4. (optional) Verify that Application-Initiated Actions work in general by adding and invoking an UPDATE_PASSWORD AIA. Observe that your OIDC callback endpoint is correctly invoked.
5. Add and invoke an UPDATE_EMAIL AIA.
6. Enter a new email address and confirm.
7. Click the verification link in the email you just got.
8. You should see an "Email updated" informational screen by Keycloak. It also contains a link, "Back to Application". Click it.
9. Observe that you are redirected to your OIDC callback without any parameters.