#U1fhednar

that's one option, or you could authenticate the user in whatever way you usually do, like setting login cookies that the browser will also send when the return_url is visited

Fair enough. Thank you. I thought it wise to check if there are best practices that might prevent me from falling into any security pitfalls before proceeding.