Blocked User Does not Exist Under User Management

Overview

This article explains why a brute force blocked user did not exist under Auth0 Dashboard > User Management > Users.

Applies To

  • Brute Force Blocked User
  • Management API
  • Blocked Accounts

Solution

Brute force protection is triggered after failed n attempts, regardless of whether the user exists in Auth0 Dashboard > User Management > Users, to prevent enumeration attacks.

Use the Auth0 Management API’s Get blocks by identifier endpoint to retrieve the blocks for the given identifier (in this case, the user’s email is sufficient).

An example GET request:
GET api/v2/user-blocks?identifier=user@email.com

If the block is found, unblock the user by using the Management API’s Unblock by identifier by sending the identifier(username, phone number, or email).
DELETE api/v2/user-blocks?identifier=user@email.com

1 Like