Problem statement
I am attempting to use auth0-forwarded-for header to pass the end user’s IP address from our backend to Auth0 in a ROPG flow.
I’m using the next link: Avoid Common Issues with Resource Owner Password Flow and Attack Protection to send end user IP to auth0.
I have tested sending auth0-forwarded-for any value but the logs don’t show the value sent. I’ve checked IP and client_ip attributes in the log and both are the same.
Cause
Auth0 will ignore the auth0-forwarded header for unauthenticated clients (e.g. SPAs or Native apps that are unable to provide a client secret), and if the client has not been configured to explicitly trust the header.
Solution
In order for the tenant logs and anomaly detection to use the IP address passed in the auth0-forwarded-for header in a Resource Owner Password flow, the client ID being used for authentication must be both:
- Using a Token Endpoint Authentication Method that is NOT “none”
- Have “Trust Token Endpoint IP Header” enabled in Advanced Settings > OAuth
Otherwise the header will be ignored and the actual IP used to make the call to /oauth/token will be logged and used for anomaly detection purposes.