Hi everyone 
I’m working on a setup with two separate domains:
-
Marketing site (React) →
https://domain.fr -
SaaS app (Rails 7.2 + Devise + OmniAuth + Auth0) →
https://app.domain.fr
Goal
When a visitor clicks “Login” on my React marketing site, I want them to land directly on the Auth0 Universal Login page, just like when someone visits my Rails app (https://app.domain.fr) for the first time.
So ideally:
-
Visiting
https://app.domain.fr→ immediately redirects to Auth0 Universal Login -
Clicking “Login” on
https://domain.fr→ goes to the same Auth0 login page (same flow)
Problem
By default, OmniAuth in Rails expects the authorization request to be a POST, so it can store the state parameter in session before redirecting to Auth0.
If I allow a GET request (using OmniAuth.config.allowed_request_methods = [:get, :post]), it works — both the direct visit and the button from React correctly open the Auth0 login page — but this exposes me to CSRF vulnerabilities 
So my questions are:
-
Is there a safe way to handle login redirects across two domains (
domain.fr→app.domain.fr) without allowing GET requests? -
Can I somehow preserve or synchronize the
stateparameter so the OAuth flow remains valid even if the first request doesn’t come from the Rails domain?
Environment
-
Rails 7.2
-
Devise + OmniAuth + OmniAuth-Auth0
-
React (Vite) for the marketing site
-
Auth0 Universal Login
-
Local setup:
http://localhost:5173→https://localhost:3001
Any advice or best practices from those who managed this multi-domain login flow would be amazing 