How to automate a scenario to make user blocked by the brut-force protection mechanism


We are developing an endpoint, which basically proxies calls to Auth0 User Blocks API. The endpoint will be used to unblock users, who blocked themselves by entering an incorrect password multiple times.

There is no API method on Auth0 side to set such a block on a user, so it is not clear, how we can test this scenario. Obviously, we can have it covered with integration and unit tests, but now we are looking to test this functionality with e2e tests.

The options we see now are the following

  1. Use Password Flow with an incorrect password for a particular user for Login Threshold Maximum Attempts (Brut-Force Protection settings) number of times.
  2. In a UI test, simulate a user entering an incorrect password the same amount of times taken from Brut-Force Protection settings.

Which of the approaches would you recommend? Are there other ways of making a user brut-force blocked for test purposes?

If there are no other alternative ways, except the mentioned above, are there potential issues that our CI agents can run into with either of the approaches?


Hi @serp,

Thanks for reaching out to the Auth0 Community!

I understand that you have questions about blocking users via brute-force protection for testing purposes.

Unfortunately, as you have found, Auth0 currently does not have a way to block users through brute-force protection with an endpoint. Instead, the user can only be brute-force blocked thru unsuccessful login attempts.

With that said, your proposed solutions seem like a valid way to test. I would add that the Maximum Attempts login threshold should be set to 1 to make testing quicker. This way, you can use the Password Flow with an incorrect password for all users and trigger a brute-force block.

I hope this helps!

Please let me know if you have any further questions.

Thank you.

1 Like