Changing redirect URL to a POST rather than a GET with PII in the url

sthakur · May 29, 2020, 1:42am

This is a duplicate of this ticket (with some more information) which did not have a resolution and was closed: Auth0 adding personally identifiable information to redirect URL
We are using the Auth0 hosted password reset page and after a successfult password reset the user is being redirected back to our sign-in page:

See: Dashboard → Emails → Templates → Redirect To

The redirect url generated by Auth0 included PII (personally identifiable information) in the form of the users email and a message:

http://mydomain.com/users/sign_in?email=user@email.com&message=You%20can%20now%20login%20to%20the%20application%20with%20the%20new%20password.

This information ends up in Google Analytics and is a violation of the TOS:

It also just a bad idea to include a user’s email in a plain URL and a message which can be hijacked into making the user believe something else.

How can we prevent the redirect URL from containing the user’s email and message? Is there anyway to send these parmeters as part of a request body using the POST action rather than a GET. This is coming as part of an internal security audit from one of our clients

markd · May 29, 2020, 7:55pm

Hello @sthakur,

Welcome to the Community. I would suggest submitting this to the feedback link as well:

andy.carter · June 1, 2020, 1:30pm

Hi @sthakur,

You can remove the email address from the URL by updating your email templates:

sthakur · June 1, 2020, 10:24pm

Hi @andy.carter,

Thanks for the response. I do have one follow-up question:

Do I have to PATCH this one time only for every Auth0 appliance that I have? Or will this need to be done everytime when the instance is restarted?

Thanks,
Sagar Thakur

sthakur · June 1, 2020, 10:56pm

Hi @andy.carter,

I tried using the API Explorer as well as Postman to PATCH the email template but i am getting the following response:

{
“statusCode”: 404,
“error”: “Not Found”,
“message”: “The template does not exist and cannot be updated.”,
“errorCode”: “inexistent_email_template”
}

andy.carter · June 3, 2020, 3:43pm

Hi @sthakur,

You should just need to patch this once via the management API. With regards to the 404, please check you are using reset_email for the templateName parameter rather than password_reset or change_password, which are only present for legacy reasons.

system · June 18, 2020, 3:43pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auth0 adding personally identifiable information to redirect URL Help password-reset , redirect-rules , reset	3	4298	March 2, 2018
Change redirect-back-to-app url parameters? Help url , redirect , config	5	5241	March 2, 2018
HELP: Auth0 protocols are violating Google AdSense terms; how do I change pass reset URL? Help password-reset , google , adsense	6	3809	March 2, 2018
After the password reset or email verification, redirected links have the user's email in it. How can I avoid it? Help password-reset , email-template , verification-email	3	3359	April 23, 2020
Mail ID in the Auth0 Url Help redirecturi	2	3595	March 2, 2018

Changing redirect URL to a POST rather than a GET with PII in the url

Related Topics