Overview
There is a need to prevent logins coming from a particular client who is no longer using the service. Deleting the client would not stop the automated requests from hitting Auth0. Doing an IP block is not possible because the IP is shared between other active clients.
Applies To
- Client requests
- Actions
Solution
To prevent login requests coming from a particular client that shares the same IP as other active clients, use an Action with api.access.deny in place. Create an if check and if the event.client.name == blocked client name, then call the api.access.deny(“reason”) to deny the request.
This template could also be helpful:
exports.onExecutePostLogin = async (event, api) => {
if (event.client.name === "Unallowed Application") {
return api.access.deny("Access denied for this application.");
}
};