Overview
This article explains why the following error appears in tenant logs when using Censys Scanner and provides a workaround.
Error: Missing required parameter: response_type
Cause
This error is generated by traffic from the Censys internet scanner. The Censys scanner makes automated requests to tenant endpoints for security research purposes. These requests do not include the required response_type parameter, which triggers the error message.
Solution
There are currently two solutions to this problem. Both solutions aim to block the traffic coming from the Censys Scanner.
It is possible to block specific IP ranges directly within the tenant settings using Tenant Access Control List. With Tenant Access Control List, it is possible to block certain traffic, and this solution can be used to block the traffic of Censys Scanner to your tenant.
As a workaround for this issue, a Web Application Firewall (WAF) can be used to block the scanner’s traffic before it reaches the tenant, but this solution would require the usage of Auth0 Custom Domain with Self-Managed Certificates. Configure a Content Delivery Network (CDN) with a WAF in front of the custom domain with self-managed certificates.
For the workaround mentioned above, in the Web Application Firewall (WAF), create custom rules to block traffic originating from the Censys scanner. This can be accomplished by blocking either the subnets or the User Agent associated with the scanner. Please reach out to Censys for an up-to-date list of their outbound IP addresses.