IP blocked not showing as blocked

I was testing pass wrong password and emails through my login form and looks like the Brute-Force protections blocked my IP, which is cool, but now when I try to login using my credentials I receive this error which as far I understand reading the docs it means that my IP is blocked:

{“error”:“requires_verification”,“error_description”:“Suspicious request requires verification”}

The problem is that if I try to search my IP through:

GET https://{{auth0_domain}}/api/v2/anomaly/blocks/ips/{{my_ip}}

I receive this response

{
    "statusCode": 404,
    "error": "Not Found",
    "message": "Not Found"
}

Which makes no sense, because I can even find the logs related to this IP address so this is the right address, so what should I do in this case?

Hey @marcuscaum, there are multiple types of attack protection that come into action during logins.

1. Brute-force Protection - When a single user attempts login with incorrect credentials (10 wrong attempts, unless this value is overridden in dashboard). The IP is blocked for that user only. These blocks can be retrieved from GET /api/v2/user=blocks?identifier={id} or GET /api/v2/user-blocks/{user_id}
2. Suspicious IP Throttling - When multiple users try 100+ failed login attempts or 50+ signups. That IP is blocked for everyone. These blocks can be found using the endpoint you used: GET /api/v2/anomaly/blocks/ips/{ip}.
3. Bot detection - This is a bit more complicated to explain, but you can read about it here. You can’t search for IPs blocked by this.

The error you received seems to be from bot detection, so those endpoints will not show up that it was blocked. You can verify this by turning off bot detection temporarily. It’s not possible to unblock those IPs manually, but usually Auth0 login pages will display a captcha when this error is received so the user can solve that to complete the login.

But in my case we are doing the login manually using the endpoints, passing email and password with the http://auth0.com/oauth/grant-type/password-realm grant_type, mostly because our application is a React Native application and since we are using Expo we can’t use the auth0 sdk directly, so how should I handle the captcha in this case?

Password grant (aka Resource Owner Password flow) is not supported with bot detection. Does the login work fine with bot detection turned off?

Yeah, it worked, so if it’s not supported why I got blocked by it? Is there any way to just disable the bot detection for my auth0 application related to React Native? Both of our applications right now shares the same tenant (web and mobile)

This is a limitation of the feature at the moment - with ROPG it is triggered but you can’t go around it by proving you’re human. It’d be helpful if you can add some feedback with the use case so this can be improved.

I’m afraid you might have to turn off bot detection until the flow is fully supported. It’s an all-or-nothing for now.

Thanks for helping on this one Thameera!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.