I implemented the “Trust Token Endpoint IP Header” flow in our application and was hoping to test it to validate that the IPs were coming through correctly. My first instinct was to check the logs, but it was still using the server IP. I found someone with the same issue and posted a reply there.
Is there a recommended way to test this? I ran out of ideas.
After talking with Auth0 support, I was directed to start my own thread here.
If you are looking to do a sanity check of your implementation to ensure that it 's working as expected then you could do a one-time test of twelve login attempts with wrong credentials for the same test user. These attempts should be done from the same IP address, but then half would use the auth0-forwarded-for header with an IP address A and the other half with an IP address of B.
According to the docs brute force detection will kick-in if a user enters their password incorrectly more than 10 times from a single IP address so if trust token endpoint IP header is not configured correctly the user would be blocked while if it’s being done correctly the user should not be blocked.