Redirecting to universal login from a GET request

Background:

  • Migrating from the existing authentication stack to universal login
  • “traditional” Rails app
  • Using omniauth-auth0
  • Home page (with the sign-in button) is cached
  • We have static pages also pointing to the sign-in URL “/signin”

What is the recommended route for getting users from “/signin” to the universal login?

For testing purposes, we added a button in the response for GET /signin that POSTs to
http://localhost:8080/users/auth/auth0 which then redirects to my tenant’s universal login authorize endpoint. For production, we don’t want to make them click two buttons before seeing a sign-in prompt.

I’m under the impression that the reason for the POST request also has to do with CSRF protection (which we can’t do from a static/cached page AFAIK). Converting the buttons on the static/cached pages to POST is certainly possible, but would the lack of CSRF protection be a concern?

A hacky way would be to respond with a POST form that auto-submits itself when the page loads. This could result in some visual UI flickering as the redirect occurs after page load (this is what the repost gem does).

It’s my understanding that supporting a redirect from the GET request leads to the situation explained here but I don’t fully understand it. That same post also says the self-submitting POST form defeats the purpose and I don’t understand why.

I feel like I’m missing a piece or I’m misrepresenting something because things don’t all add up.