The user ends up in redirecting loop after account being manually blocked

Hi @KristianJ,

Welcome to the Auth0 Community and sorry for the late reply.

When blocking a user directly via the Dashboard there is currently no place to specify a concrete reason, so that is why no error message pops up when such a user tries to login. In order to also show an error message to specific users that are being blocked, it is recommended to use an Action to customize your message:

api.access.deny("You are being blocked to access this website");

For brute-fore protection in particular, the default error message that is being shown is:

Your account has been blocked after multiple consecutive login attempts

However, this is customizable as well. You can follow the steps from this Knowledge Article, but just locate the "user-blocked" object from the Raw JSON text editor to insert your custom text.

I hope this clarifies the situation.
Thanks,
Remus