Use auth0-forwarded-for for Sign Up Endpoint /dbconnection/signup

Problem statement

This article clarifies whether it is possible to send auth0-forwarded-for with the client’s IP in a header for the /dbconnection/signup endpoint.

Solution

The only flow/endpoint that currently supports the auth0-forwarded-for header is the POST /oauth/token endpoint for ROPG. Moreover, that endpoint will only accept the header if the request is authenticated with the client_secret. The reason is that otherwise, the auth0-forwarded-for could be forged by the caller.

The /dbconnection/signup endpoint is not meant to be called with authentication. This is an open endpoint that anyone can call. As such, we do not honor that header’s value, and we can only use the client IP address to enforce the suspicious IP throttling protection.

That is the reason why the auth0-forwarded-for is not recognized for sign-ups.