IP Blacklisting/Controls for M2M token calls

jmcsherry1 · December 16, 2021, 1:30pm

IP Blacklisting for M2M calls

At present it is possible to implement a whitelist for M2M calls to the Auth0 API. However it does not appear possible to implement a blacklist for IPs where calls are coming for M2M access tokens to the Auth0 API. The problem with this is potentially unauthorized access and usage of M2M token quota, which could then have knock on effects.

From research, Auth0 does have IP throtttling, Bot Detection, Brute Force Detection built in (security/attack-protection in Dashboard) but these seem geared towards end user login flows, not M2M tokens. I see that there is some controls in place at the token level, but this relates to stopping calls from IPs before the token is issued.

It would be useful to have

IP throtttling, Bot Detection, Brute Force Detection type controls for M2M token calls, and a way to add some custom control (e.g x calls per minute from an IP for a token, blacklist it, place on blacklist with reason why). Such a custom control would allow the customer to determine a pattern that looked suspicious based on how they know their system is configured.
A way to manually add/remove IP addresses if needed to a Blacklist for this purpose

I have looked and not been able see this specifically raised before. Feedback would be welcome, hope the above is clear.

Regards,
James

konrad.sopala · December 16, 2021, 3:16pm

Thank you for creating this feedback card. Let’s see who else will be interested in such improvement!

benjefferies · December 17, 2021, 10:11am

Thanks for raising this. Didn’t see this on initial posts.

Some related posts

konrad.sopala · December 17, 2021, 12:39pm

Thank you for adding this context!

jmcsherry1 · January 6, 2022, 8:39pm

Hi Konrad,

Is this something that will be on the workplan to being implemented? Having some tools, preconfigurable, to manage this, would really be something most useful.

Thanks
James

jmcsherry1 · January 6, 2022, 8:39pm

Hi Ben,

Thanks for raising similar requests. I am getting to the point where this is something I see as critical to being able to manage and have some tools to do so reactively when it happens. I feel as though we’re flying blind a bit on this one without them

James

konrad.sopala · February 2, 2022, 2:15pm

Unfortunately no precise information on that front. As with every product backlog it all depends on the number of request for each backlog item. There are still more features that have way more votes and feedback so I guess with this one we still need some more advocacy.