Problem statement
After using this example from the Auth0 Document Avoid Common Issues with Resource Owner Password Flow and Attack Protection as a guide, the ‘auth0-forwarded-for’ has been configured to be sent during the ROPG authentication flow.
However, after testing, the Auth0 dashboard logs are not capturing the ‘auth0-forwarded-for’ value sent. This article explains whether this is expected and how to achieve the desired results.
Symptoms
Using the auth0-forwarded-for header to pass the end user’s real IP address from a backend to Auth0 in an ROPG flow.
Troubleshooting
Check the client ID being used, it needs to be both:
- Using a Token Endpoint Authentication Method that is NOT “none”
- Have “Trust Token Endpoint IP Header” enabled in Advanced Settings > OAuth
Cause
Auth0 will ignore the auth0-forwarded header for unauthenticated clients (e.g. SPAs or Native apps that are unable to provide a client secret) and if the client has not been configured to explicitly trust the header.
Solution
For the tenant logs and anomaly detection to use the IP address passed in the auth0-forwarded-for header in a Resource Owner Password flow, the client ID being used for the authentication must be both:
- Using a Token Endpoint Authentication Method that is NOT “none”
- Have “Trust Token Endpoint IP Header” enabled in Advanced Settings > OAuth
Otherwise, the header will be ignored, and the actual IP used to make the call to “/oauth/token” will be logged and used for anomaly detection.