SDK: Auth0 Android SDK
SDK Version: 1.23.0
After a user clicks a “reset password” link in our mobile application, we invoke Auth0’s authenticationAPIClient.resetPassword("email@example.com", "Username-Password-Authentication") method. If the user clicks the link in their email, they are directed to our web application in their mobile browser to enter a new password.
We’d like to improve this experience as requiring the use of a mobile browser is not ideal. Instead, we’ve made changes to deep link the user to a screen in our mobile application so that they can enter a new password.
We’ve discovered that the web application and the Auth0 JS libraries utilize a _csrf token as part of the reset flow. The token appears to be generated and included on the web page:
new Auth0ChangePassword({
email: "example@example.com", // DO NOT CHANGE THIS
csrf_token: ".......", // DO NOT CHANGE THIS
Attempting to trigger a password reset with the new password will result in the following error if a _csrf token is not included in the request:
{
"name": "CsrfInvalidTokenError",
"message": "Invalid CSRF token",
"code": "invalid_csrf_token",
"statusCode": 403
}
This is problematic as mobile applications are not susceptible to CSRF and thus there is no token to generate.
How can we utilize Auth0’s SDKs and APIs to ensure a user can reset their password within our mobile app?