Hi Mike, if you need to do multiple redirects or stages of the user flow, I recommend totally owning those steps outside the community. So you would implement a new interim location for the community to send a user to, and that request's query string will bear the community's "return" URL. From there, if you need the user to go through more steps, you'll want to pass that stateful data along in your own secure way. It's neater for your application to manage those handoffs because you can validate and secure the redirect URLs according to your own policies, and you can also update your overall flow in any future way without worrying about updating the community's configuration or sequencing the change just right across platforms.
As a rough example:
Community sends user to //YOURSITE/login?redirect_to=https://COMMUNITY/welcomeback/
You validate the redirect URL https://COMMUNITY/welcomeback/ and set it as a (trusted) property of the user's session
You perform a myriad of auth-related tasks, maybe bouncing through a couple URLs, and eventually, the user is logged in
You check for the community redirect URL, and if it is there, you set the necessary cookies and forward the user along to their final destination
Using the session is just one way to carry that state across the flow. You could also encrypt the final destination, or even pass it along via cleartext query parameters. Just make sure you've properly validated the URL before you use it.
... View more