IP Contained in 'auth0-forwarded-for' Not Shown in Logs

Problem statement

After using this example from the Auth0 Document Avoid Common Issues with Resource Owner Password Flow and Attack Protection as a guide, the ‘auth0-forwarded-for’ has been configured to be sent during the ROPG authentication flow.

However, after testing, the Auth0 dashboard logs are not capturing the ‘auth0-forwarded-for’ value sent. This article explains whether this is expected and how to achieve the desired results.

Symptoms

Using the auth0-forwarded-for header to pass the end user’s real IP address from a backend to Auth0 in an ROPG flow.

Troubleshooting

Check the client ID being used, it needs to be both:

  1. Using a Token Endpoint Authentication Method that is NOT “none”
  2. Have “Trust Token Endpoint IP Header” enabled in Advanced Settings > OAuth

Cause

Auth0 will ignore the auth0-forwarded header for unauthenticated clients (e.g. SPAs or Native apps that are unable to provide a client secret) and if the client has not been configured to explicitly trust the header.

Solution

For the tenant logs and anomaly detection to use the IP address passed in the auth0-forwarded-for header in a Resource Owner Password flow, the client ID being used for the authentication must be both:

  1. Using a Token Endpoint Authentication Method that is NOT “none”
  2. Have “Trust Token Endpoint IP Header” enabled in Advanced Settings > OAuth

Otherwise, the header will be ignored, and the actual IP used to make the call to “/oauth/token” will be logged and used for anomaly detection.

Related Resources

Configure your Application to trust the IP address

1 Like