User blocked by brute-force, without full email/username

jasperh1 · February 18, 2020, 9:42am

I have a Username-Password-Authentication database where login with usernames is enabled.
I have the following users registered:
Alice, with email contact@alice.com and username “Alice”
Bob, with email contact@bob.com and username “Bob”

When I try to login multiple times with username “contact” and an random password, both accounts of Alice and Bob are blocked for too many login attempts, even tough “contact” is neither of their usernames.
This is even possible when login with usernames is disabled.

If “contact” is given as username and a correct password for either one of the two accounts is given, no access is granted.

I tried to login with the following command, but it also should work with the Universal Login also make sure that Brute Force Protection is enabled:

curl --request POST --url 'https://DOMAIN.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=http://auth0.com/oauth/grant-type/password-realm --data username=contact --data password=password --data client_id=CLIENT_ID --data realm=Username-Password-Authentication

markd · February 18, 2020, 2:06pm

Hello @jasperh1,

That brute-force feature blocks an IP address, not a user, which is why Alice & Bob appear to be blocked. You need to unblock the IP via the Management API.

Edit: By the above I mean, if Alice or Bob tried logging in from another location (different IP), they would be able to log in.

konrad.sopala · February 18, 2020, 2:35pm

Let us know if that did the job!

jasperh1 · February 18, 2020, 2:46pm

I’m indeed able to unblock both users, but when I look at the management dashboard Alice & Bob are the only users that appear to be blocked, by IP. Other users don’t have the “Blocked (BruteForce)” tag.

markd · February 18, 2020, 4:17pm

Their blocked_for attribute (under “Raw JSON” and also shown under the “Details” tab) in their profile is the key here:

.
.
    "blocked_for": [],
.
.

If there is an IP in there, you’ll need to repeat the unblock via mgmt API for that user.

jasperh1 · February 19, 2020, 7:53am

If an user is indeed blocked for an IP it’s listed there indeed

This morning I tried again to block Alice and Bob by login in with the “contact” username. This time however it didn’t block any users… I don’t know why I’m not able to reproduce it any more

But that resolves this issue I suppose

Thanks for your support

markd · February 19, 2020, 1:51pm

I think my original explanation was misleading … I made it sound like: “once one person triggers a block on an IP address, all users at that IP will be blocked.” which I am fairly certain is not true. That IP address will only be added to blocked IP list of the user trying to log in. So Alice and Bob should be blocked when Jane triggers the block (assuming all three are behind the same IP).

The exception to this is: if there are 100+ failed logins from a given IP, then that IP is blocked for everyone.

konrad.sopala · February 19, 2020, 2:12pm

Thanks a lot guys for the cooperation!

jasperh1 · February 20, 2020, 8:44am

Maybe my explanation was wrong or not clear. But I meant that I have registered accounts for Alice, Bob and Jane in a database where usernames are not required. Alice and Bob share the same mailbox (for example “contact”) and Jane has a different one, all their e-mails have a different domain name and are created on the same IP.

When I try to login multiple times as “contact” (there is no account with this username) Alice and Bob are both blocked, but Jane is not

My assumption was that Alice and Bob their accounts were blocked because the login name was the same as their mailbox