Improved user experience in complex OAuth2 flows

Previously there was a bug that, under certain circumstances, occurred when the user did not have an existing account and switched from the login flow to the registration flow. Specifically, complex flow navigations (e.g., from OAuth2 Login to Registration, then to Verification) inadvertently dropped the return_to parameter, which resulted in the OAuth flow getting stuck on the /ui/welcome/ page of the Account Experience or just returned a session to SPA clients without redirecting the flow back to the OAuth client. This also affected applications that set a return_to parameter on registration while requiring the account to be verified before the user can sign in.

We have now fixed this bug to ensure smooth transitions during user registrations and verifications within an OAuth2 flow. In instances where clients set up session_after_registration and required_verification, the intended return_to behaviour is now preserved, preventing the end-user from getting stuck. Additionally, a related CORS issue regarding the max-age and X-XSRF-TOKEN has been resolved.

No action is needed from developers.
The bug fix has re-established the expected OAuth2 flow navigation behaviour and will provide a seamless user experience in cases of multiple flow transitions.