IP whitelisting per API key using Action?

I registered API with auth0 and plan to use the M2M client creds flow to enable customer to create their own API keys for the API.

I am wondering whether it is possible to use Acton to do IP whitelisting per API key. The workflow will be the following:

  1. Customer login to our portal to create their API keys and specify IP addresses allowed to use this API key;
  2. Our portal calls Auth0 management API to create the M2M app and returns the client ID and secret to the customer.

The part I am not clear is how to put the IP address info in Action. Since each API key will have different IP addresses.

Thanks.

Hi @gavin3466,

Welcome to the Auth0 Community!

I recommend creating a Machine-to-Machine whitelist action with an array of whitelisted IP addresses. Then in Step 2, I recommend calling the Management API’s Update an action endpoint to update your whitelist action with the corresponding IP address into the whitelist array.

For example:

exports.onExecuteCredentialsExchange = async (event, api) => {
 const whitelist = ["8.8.8.8", "1.2.3.4"]
  if (!whitelist.includes(event.request.ip)) {
    api.access.deny('invalid_request', "Access from your IP address is not allowed.");
  }
};

I hope this helps!

Please let me know if you have any further questions.

Thanks,
Rueben

Thanks @rueben.tiow ! this helps a lot.

One more question, since the IP check happens before access token is created and there is no IP info in access token, user could take the access token and call the API from a different IP. Is that a security issue?

1 Like

Hi @gavin3466,

Thank you for your response.

This is a little tricky to answer since, technically yes, this could be a security issue if the access token granted to the user was somehow compromised. I would recommend reading our https://auth0.com/docs/secure/tokens/token-best-practices documentation to familiarize the best practices for securing tokens.

I will add that, since only whitelisted IP addresses can get an access token for your Logical API, we can safely assume that it was granted to the right user. At this point, they would be able to use that access token however they prefer, which includes using it from a different IP.

In this case, my best recommendation would be to make these tokens as short-lived as possible so that it limits the time an attacker can abuse a stolen token.

Does that address your concern?

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.