IP Blacklisting/Controls for M2M token calls

IP Blacklisting for M2M calls

At present it is possible to implement a whitelist for M2M calls to the Auth0 API. However it does not appear possible to implement a blacklist for IPs where calls are coming for M2M access tokens to the Auth0 API. The problem with this is potentially unauthorized access and usage of M2M token quota, which could then have knock on effects.

From research, Auth0 does have IP throtttling, Bot Detection, Brute Force Detection built in (security/attack-protection in Dashboard) but these seem geared towards end user login flows, not M2M tokens. I see that there is some controls in place at the token level, but this relates to stopping calls from IPs before the token is issued.

It would be useful to have

  • IP throtttling, Bot Detection, Brute Force Detection type controls for M2M token calls, and a way to add some custom control (e.g x calls per minute from an IP for a token, blacklist it, place on blacklist with reason why). Such a custom control would allow the customer to determine a pattern that looked suspicious based on how they know their system is configured.
  • A way to manually add/remove IP addresses if needed to a Blacklist for this purpose

I have looked and not been able see this specifically raised before. Feedback would be welcome, hope the above is clear.

Regards,
James

Thank you for creating this feedback card. Let’s see who else will be interested in such improvement!

1 Like

Thanks for raising this. Didn’t see this on initial posts.

Some related posts

1 Like

Thank you for adding this context!

Hi Konrad,

Is this something that will be on the workplan to being implemented? Having some tools, preconfigurable, to manage this, would really be something most useful.

Thanks
James

Hi Ben,

Thanks for raising similar requests. I am getting to the point where this is something I see as critical to being able to manage and have some tools to do so reactively when it happens. I feel as though we’re flying blind a bit on this one without them

James