Android SDK Password Resets

SDK: Auth0 Android SDK
SDK Version: 1.23.0

After a user clicks a “reset password” link in our mobile application, we invoke Auth0’s authenticationAPIClient.resetPassword("", "Username-Password-Authentication") method. If the user clicks the link in their email, they are directed to our web application in their mobile browser to enter a new password.

We’d like to improve this experience as requiring the use of a mobile browser is not ideal. Instead, we’ve made changes to deep link the user to a screen in our mobile application so that they can enter a new password.

We’ve discovered that the web application and the Auth0 JS libraries utilize a _csrf token as part of the reset flow. The token appears to be generated and included on the web page:

new Auth0ChangePassword({
    email: "", // DO NOT CHANGE THIS
    csrf_token: ".......", // DO NOT CHANGE THIS

Attempting to trigger a password reset with the new password will result in the following error if a _csrf token is not included in the request:

    "name": "CsrfInvalidTokenError",
    "message": "Invalid CSRF token",
    "code": "invalid_csrf_token",
    "statusCode": 403

This is problematic as mobile applications are not susceptible to CSRF and thus there is no token to generate.

How can we utilize Auth0’s SDKs and APIs to ensure a user can reset their password within our mobile app?