"auth0-forwarded-for" header is only supported for Resource Owner Password flows, and not Client Credential flows

Feature: Provide support for “auth0-forwarded-for” header with respect to Client Credential flows

Description: Users actual IP address in not getting passed to Auth0 when we are using client-credentials-flow for token generation.

Use-case: We have multiple implementation where I am using Resource Owner Password flows and Client Credential flows for different purposes.

The thing is when someone tries client_id/client_secret combination with some wrong creds we get lots of requests with “Unauthorized” error in Auth0. As we are using Auth0 SDK to call the token endpoint it creates lots of network calls on the API.

Because we are not getting the actual user’s IP address therefore our enabled suspicious IP throttling and rate limiting doesn’t stops further requests.

We need to block those unauthorized calls for all those IP’s who are continuously hitting token API with wrong creds.