Password change ticket return urls not working in Rails with GET requests

I’m integrating Auth0 password change functionality with our Rails app to allow users to change their own passwords. Using the #post_email_verification API call is straight-forward and mostly works well.

But upon completion, the “Back to [My Application]” button/link doesn’t work.


The Classic Universal Login experience allows you to specify a result_url when making the API call to create the ticket. That sounds ideal. But we are using the New Universal Login experience which causes that not to work. Instead, this says we are supposed to set the “Application Login URI” which will then be used instead.

And that’s what happens. The “Return to [My Application]” button/link does a GET request to the entered URI, with a parameter:

But due to this security vulnerability (CVE 2015 9284), recommended best practices do NOT allow GET requests to be made to “Application Login URI”.

In fact, when an application is configured according to the Auth0 SDK installation instructions, the application includes the omniauth-rails_csrf_protection Ruby gem which disables the GET route.

What actually shows is a black screen with the curt message: Not found. Authentication passthru.

So, how are we supposed to keep this secure … AND … make it work?