Currently, when a person token is forbidden due to security groups, it puts the URL parameter but has a value of "TokenForbidden." This results in a message on the page that the token is invalid, but no way to get to the page they were going to even after logging in. Any link to the login page would not have the correct return url passed.
One potential alternative is not to return the rckipid= at all. This has the added benefit of preserving the redirect to the login page and return url functionality.
Another alternative would be to update the code that shows the invalid token message and add a button to a login page with the original page as the return URL parameter.
In either case, the person would be taken to a login page and redirected back to what they were trying to get to after the login.
Use Case Problems:
Group Attendance Reminder email generates a link to log them in, which, when the token is forbidden, yields going to the correct page but with a message that the token is invalid. They then need to click on a login button to log in and find their way back to the page. I updated the lava to only include the person token parameter in the link itself if the token is not forbidden. This leads them to the login page with the correct page and parameters as the return url.