I’m logging in with password grant type and send client IP address with all hops it passes in auth0-forwarded-for header. However, I noticed that in the documentation it’s written that there should be a single IP address. My questions are:
Hi @alexei_p,
Welcome to the Auth0 Community and thank you for your post!
Unfortunately you can not send multiple IP addresses in the auth0-forwarded-for header since it is designed only for a single valid IPv6 or IPv4 address, otherwise you will receive a Failed Exchange error.
auth0-forwarded-for header is checked against the brute-force protection and suspicious IP throttling. However you can also add specific client IPs to the AllowLists to be ignored when triggering brute-force protection and suspicious IP throttling.This is the intended behavior of an authorized header since the client needs to be authenticated within a flow and the auth0-forwarded-for header will only be accepted for authenticated calls with the Client Secret.
I would recommend checking our Avoid Common Issues with Resource Owner Password Flow and Attack Protection documentaton.
Hope this helps.
Best regards,
Remus