Automatically trigger auth flow

Due to the CSRF protection being turned on/recommended, I can’t seem to figure out how to trigger an auth flow automatically (when someone accesses a url that’s protected). If I have a login link/button with a post action, it works fine, but I can’t seem to trigger it when someone goes to a protected url (i.e. http://some.domain/app).

Is this possible without removing CSRF protection and not having another page with a login button? I’d prefer the user experience of automatically triggering the flow.

Thank you!

Could you please provide more context for your question? It’s not clear why CSRF protection would prevent you from triggering the authorization flow.

If you are using Auth0.js you can use webAuth.authorize to do this.

If you are using auth0-spa-js you simply call loginWithRedirect as described here.

Otherwise you can redirect the user directly to /authorize.

Thanks for replying! I’m using Rails. By enabling the CSRF protection with the recommended omniauth-rails_csrf_protection gem. This gem, enables CSRF. But doing this requires a POST request, thus there is no longer a GET route I can redirect to. The only way to redirect is now through a button/link using data-method=“POST”.

I’m trying to redirect to login page without the user having to explicitly click on anything. They go to a protected page, if they are not logged in, it would redirect them to auth0.

Disabling omniauth-rails_csrf_protection works, but then you’re exposed to https://nvd.nist.gov/vuln/detail/CVE-2015-9284