Unable to access end-user IP in a Rule

Hello,
We are sending the end-user IP via the header auth0-forwarded-for as documented at Avoid Common Issues with Resource Owner Password Flow and Attack Protection.

Everything works fine, I can see that the brute force protection is reading the right IP address (dashboard → user profile → blocked_for)

However, when I try to access the IP in a Rule with context.request.ip, I still get the IP of our server. Is there a way to get the end-user IP?

I was also surprised (and confused) to see that the dashboard (“users” and “logs” sections) are also showing the server IP instead of the end-user IP.

Thanks in advance,
Andy

As of now, the auth0-forwarded-for header is only applicable and used by Anomaly Detection features. There is discussion about expanding this to be available Rules, and I have passed on your feedback internally, however we have no ETA or commitment as to whether this will be implemented.

Can you please provide more information on your user case for us to evaluate.

We have an IP blacklist, we need to prevent logins with those IP addresses. We could perform the IP check after we call your password grant endpoint, but a Rule feels more appropriate.

Besides the IP blacklist, it would be nice in general to be able to retrieve the real user IP via an API and/or in the dashboard.

We have an IP blacklist, we need to prevent logins with those IP addresses. We could perform the IP check after we call your password grant endpoint, but a Rule feels more appropriate.

Besides the IP blacklist, it would be nice in general to be able to retrieve the real user IP via an API and/or in the dashboard.