I created a Machine to Machine application that accesses the Management API. How do I limit access to it to a few select IP addresses? Do I need to paste the IP addresses into one of the fields in the Application URIs section or do I need to add a rule?
Hi @Chr,
Thanks for reaching out to the Auth0 Community!
A rule will not be sufficient since it only triggers post-authentication.
Instead, I recommend using a Machine-to-Machine Action to deny issuing tokens to blacklisted IP addresses. See below for a code snippet.
exports.onExecuteCredentialsExchange = async (event, api) => {
const blacklist = ["8.8.8.8", "1.2.3.4"]
if (blacklist.includes(event.request.ip)) {
api.access.deny('invalid_request', "Access from IP address " + event.request.ip + " is not allowed.");
}
};
Please let me know if you have any further questions.
Thank you.
Thank you for the solution, @rueben.tiow .
I now slightly reformulated your blacklisting to a whitelisting approach.
exports.onExecuteCredentialsExchange = async (event, api) => {
const whitelist = ["8.8.8.8", "1.2.3.4"]
if (!whitelist.includes(event.request.ip)) {
api.access.deny('invalid_request', "Access from IP address " + event.request.ip + " is not allowed.");
}
};
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
Hi @Chr,
After working with one of our Solutions Architects, we revised the Action to ensure that it does not execute for all M2M calls, which could have an indirect consequence when using other APIs.
Given that, the Action script will need to specifically restrict access only to the Management API (https://YOUR_DOMAIN.REGION.auth0.com/api/v2
).
Here is the new version:
exports.onExecuteCredentialsExchange = async (event, api) => {
const whitelist = ["8.8.8.8", "1.2.3.4"]
if (event.resource_server.identifier = 'YOUR_API_IDENTIFIER' && !whitelist.includes(event.request.ip)) {
api.access.deny('invalid_request', "Access from IP address " + event.request.ip + " is not allowed.");
}
};
Hoped this helps!
Thank you.