There is an optional parameter to ad_returnredirect.
The recover_password procedure should use a configuration of the external authority to redirect to the the explicit URL only using the optional parameter.
if { $forgotten_url ne "" } {
ad_returnredirect $forgotten_url
ad_script_abort
}
could be changed to use the new allow_complete_url parameter.
ad_proc -public ad_returnredirect {
{-message {}}
{-html:boolean}
{-allow_complete_url:boolean}
target_url
} {