We’re seeing unauthorized requests consistently targeting our Auth0’s /authorize endpoint over the past few days. These requests originate from different IPs and attempt various unauthorized redirect URLs. Some requests even use malformed client IDs, like <my_client_id>/robots.txt. All attempts are failing, but this seems to be automated bot activity probing for vulnerabilities.
These are our observations
-
Unauthorized callback attempts: (e.g., https://44.242.57.79/callback, https://beta.minerva-development.amazonaws.com/callback)
-
Multiple source IPs: (123.160.223.74, 101.36.106.89, etc.)
-
Bots using Go-http-client 1.1.0 and malformed client_id/robots.txt requests.
-
Has anyone else faced attacks like this?
-
What can we do to block these attempts?
Hi @brijesh2,
Welcome to the Auth0 Community!
I have just reviewed your tenant logs and noticed the same types of logs you mentioned, specifically with Callback URL mismatch errors.
Usually, when your app calls the login page, the request URL points to the /authorize endpoint with all of the correct values for the domain, client_id, audience, redirect_uri, etc. Exposing the /authorize endpoint is not inherently dangerous since it is intentionally public as part of the OIDC and OAuth 2.0 flow.
However, this could become a threat if an attacker is able to successfully access your login page (/authorize) and then perform an attack on your users.
In this case, you should enable the features available in Attack Protection. I see that you already have these features enabled, so your application is protected here.
At this point, Auth0 will continue to log these failed login events and prevent them from accessing your login page.
Let me know if you have any follow-up questions.
Thanks,
Rueben