IP blocked not showing as blocked

marcuscaum · July 9, 2021, 8:56pm

I was testing pass wrong password and emails through my login form and looks like the Brute-Force protections blocked my IP, which is cool, but now when I try to login using my credentials I receive this error which as far I understand reading the docs it means that my IP is blocked:

{“error”:“requires_verification”,“error_description”:“Suspicious request requires verification”}

The problem is that if I try to search my IP through:

GET https://{{auth0_domain}}/api/v2/anomaly/blocks/ips/{{my_ip}}

I receive this response

{
    "statusCode": 404,
    "error": "Not Found",
    "message": "Not Found"
}

Which makes no sense, because I can even find the logs related to this IP address so this is the right address, so what should I do in this case?

thameera · July 12, 2021, 4:15am

Hey @marcuscaum, there are multiple types of attack protection that come into action during logins.

Brute-force Protection - When a single user attempts login with incorrect credentials (10 wrong attempts, unless this value is overridden in dashboard). The IP is blocked for that user only. These blocks can be retrieved from GET /api/v2/user=blocks?identifier={id} or GET /api/v2/user-blocks/{user_id}
Suspicious IP Throttling - When multiple users try 100+ failed login attempts or 50+ signups. That IP is blocked for everyone. These blocks can be found using the endpoint you used: GET /api/v2/anomaly/blocks/ips/{ip}.
Bot detection - This is a bit more complicated to explain, but you can read about it here. You can’t search for IPs blocked by this.

The error you received seems to be from bot detection, so those endpoints will not show up that it was blocked. You can verify this by turning off bot detection temporarily. It’s not possible to unblock those IPs manually, but usually Auth0 login pages will display a captcha when this error is received so the user can solve that to complete the login.

marcuscaum · July 12, 2021, 4:32am

But in my case we are doing the login manually using the endpoints, passing email and password with the http://auth0.com/oauth/grant-type/password-realm grant_type, mostly because our application is a React Native application and since we are using Expo we can’t use the auth0 sdk directly, so how should I handle the captcha in this case?

thameera · July 12, 2021, 4:55am

Password grant (aka Resource Owner Password flow) is not supported with bot detection. Does the login work fine with bot detection turned off?

marcuscaum · July 12, 2021, 4:59am

Yeah, it worked, so if it’s not supported why I got blocked by it? Is there any way to just disable the bot detection for my auth0 application related to React Native? Both of our applications right now shares the same tenant (web and mobile)

thameera · July 12, 2021, 5:12am

This is a limitation of the feature at the moment - with ROPG it is triggered but you can’t go around it by proving you’re human. It’d be helpful if you can add some feedback with the use case so this can be improved.

I’m afraid you might have to turn off bot detection until the flow is fully supported. It’s an all-or-nothing for now.

konrad.sopala · July 12, 2021, 9:10am

Thanks for helping on this one Thameera!

system · July 27, 2021, 9:10am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.