Password reset and then login sends invalid callback url

johnarmstrong · November 9, 2018, 4:54am

We just went live with a new tenant and we are seeing behavior where the password reset form sends the wrong callback url.

Steps to reproduce

Press reset password link, auth0 lock pops up in reset mode
Enter address, press send email, banner turns green and waits for login
in another browser complete the process.
Come back to original window and type in your new password, press login
Invalid callback url. Our callback url is Higg but its always sending https://portal.higg.org and users get the invalid callback screen.

As a temporary workaround we have added the base path to our callback urls. At least then users are not getting an error screen ,just some frustration when they have to click login again.

Are we configuring this wrong?
Tx!

konrad.sopala · November 9, 2018, 9:40am

Hey there @johnarmstrong

Could you go through the flow again and DM me with the HAR file + your tentant name so I can investigate it further?

Here’s some documentation when troubleshooting with a HAR file:

Thanks a lot!

johnarmstrong · November 12, 2018, 3:50pm

Hi Konrad, Tenant name is production-higg. Links to files:

HAR: portal.higg.org.har - Google Drive
Demo video: password_reset_callback_url.mp4 - Google Drive

Tx!
J

konrad.sopala · December 7, 2018, 8:38am

Hey @johnarmstrong sorry for my delay in response. Totally understand what you mean with the video however the HAR file doesn’t provide us with much info. Have you performed all the actions presented in the video before pulling out the HAR file?

I’ll try to reproduce the issue and get back to you with information!

konrad.sopala · December 7, 2018, 9:42am

However that’s probably what you were looking for @johnarmstrong:

The field name is Redirect To

Let me know if that helps!

konrad.sopala · December 10, 2018, 12:53pm

You can redirect users to a specific page on the Allowed Callback URL using the following:

{application.callback_domain}/result_page

If your application has multiple Allowed Callback URLs configured, Auth0 will use the first URL listed.

johnarmstrong · December 12, 2018, 1:19am

Yup, that fixed it. So in this case ‘reset password’ uses ‘email redirectTo’ parameter when logging in after requesting a reset. This was confusing for me since its clear the the parameters in the email screen refer to the email and not a web-based flow. But since all password resets are email based I get how they are related now.

Fixed and great, thank you Konrad for chasing this one down for me!

konrad.sopala · December 12, 2018, 11:59am

Glad we made it work!

system · January 11, 2019, 11:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.