Overview
This article provides methods to block access to the Delegated Admin Extension (DAE) for specific IP addresses.
Applies To
- Delegated Admin Extension
Solution
The Delegated Admin Extension (DAE) uses a specific client_id as detailed in the Delegated Administration Extension setup instructions. Access to the DAE can be restricted using one of the following methods.
NOTE: These are conceptual approaches. Any implementation requires thorough testing in a non-production environment before deployment.
- A Post Login Action can be used to block access to the DAE. See the following sample code for an example of how to create this action:
exports.onExecutePostLogin = async (event, api) => {
const blockedIPs = ["1.2.3.4","2.3.4.5"];
//Is the DAE client incoming?
if (event.client.client_id == "client_id_used_by_DAE") {
if (blockedIPs.includes(event.request.ip))
{
api.access.deny("Access to DAE blocked");
}
}
};
- If a custom domain with self-managed certificates is in use, a block can be configured on the reverse proxy. Since traffic for the custom domain travels through the reverse proxy, it is possible to block access for specific IP addresses to all URLs that contain the
client_idused by the DAE.