Problem Statement
Does attack protection apply to custom databases?
And does Auth0 track invalid password attempts for lockout policies with external and internal custom databases in Auth0?
Solution
Yes. The Auth0 Attack Protection, which includes the Bot Detection, Suspicious IP Throttling, Brute Force Protection, and Breached Password Detection apply to Custom Database connections; More specifically, they apply to all Connections. Most of these Attack Protection mechanisms kick in before the custom database’s login script executes, and the “failed attempts” that trigger the protection mechanism counts the failures returned from the custom database’s login script too.
Note that a common issue with Attack Protection and Custom Databases is that if the login script fails due to an internal error, it also counts to the Brute Force Protection trigger, which causes the user to be blocked “unexpectedly”. This often happens in loading tests, where the user uses a single user account to send massive login requests.