IP addresses in auth0-forwarded-for header

I’m logging in with password grant type and send client IP address with all hops it passes in auth0-forwarded-for header. However, I noticed that in the documentation it’s written that there should be a single IP address. My questions are:

  1. Areyou going to change the behaviour?
  2. Is it ok to send several IP addresses in auth0-forwarded-for?
  3. Which of these addresses is used for bruteforce protection?

Hi @alexei_p,

Welcome to the Auth0 Community and thank you for your post!

Unfortunately you can not send multiple IP addresses in the auth0-forwarded-for header since it is designed only for a single valid IPv6 or IPv4 address, otherwise you will receive a Failed Exchange error.

  • Only the IP address contained in the auth0-forwarded-for header is checked against the brute-force protection and suspicious IP throttling. However you can also add specific client IPs to the AllowLists to be ignored when triggering brute-force protection and suspicious IP throttling.

This is the intended behavior of an authorized header since the client needs to be authenticated within a flow and the auth0-forwarded-for header will only be accepted for authenticated calls with the Client Secret.

I would recommend checking our Avoid Common Issues with Resource Owner Password Flow and Attack Protection documentaton.

Hope this helps.
Best regards,
Remus

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.