Auth0 Home Blog Docs

Ability to restrict user access by a specific IP Address

I need the ability to pass auth0 information about specific users and only allow them to authenticate if they are signing in with a specific IP Address or range of IP Addresses. There is IP Address Authentication but it says that will be deprecated. When I create a new user through my app now I send Auth0 that user and info. I want to send the IP Address or range so that it will create the user and only allow them to login from those. Is that possible?

Hi @glennasherharris,

Welcome to the Auth0 Community Forum!

This should be possible via a rule.

Take a look at this example to get an idea:

Let me know if this doesn’t cover it and we can move forward.

Hope this helps!

Thanks,
Dan

I saw this but this is for all users for the app. I want to limit only a subset of users. When I add a new user through the app I want to be able to configure if they are limited by which IP they can login from. Right now I add the user in my app and pass that info to Auth0 to setup. Is there a way to limit on a user by user basis?

I see.

You could add the check(IP) as app_metadata and check the users IP against their required IP in their metadata.

Does that make sense?

Can I add the IP address to the user_metadata that they are allowed to access the app from and then when they authenticate check the ip address they are using against that to reject or let them pass? So add some kind of rule when they login to check? If they fail the ip authentication can I override the message they receive to let them know they cannot login from an unauthorized location?

I created the following on the user when creating from my app:

“user_metadata”: {
“valid_ipaddresses”: “192.168.0.1”

Can I create a rule when the user attempts to login and if this exists check to see if it matches the ip address they are trying to login with? Can I also check to see if it exists in a range? If I had the following:

“user_metadata”: {
“valid_ipaddresses”: “192.168.0.1-192.168.0.10”

If that won’t work can I use Permissions to call an API when the user attempts to authenticate and pass the IP Address they are logging in from into my app? I want to be able to check that against valid IP address and pass back true/false whether or not they can authenticate in the app.

Hi @glennasherharris,

You’re on the right track.

Your solution can follow this flow:

  • Add the user’s allowed IP to app_metadata (keep in mind the difference between user_metadata and app_metadata. You can add this manually, or in another rule that checks if it is the user’s first login and assigns that IP as the users allowed IP in their metadata. This obviously depends on how you are determining their allowed IP.
  • Create a rule that checks the IP the user is logging in from is the same as allowed IP in their metadata.
  • If it is not the same, return an error to your app, and have the app display an error page (this is how errors are typically handled when being returned from rules). This allows you to customize the message and UX.
  • If it is, then continue to the application.

Here are a few good resources for crafting rules:



This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.