I have a Username-Password-Authentication database where login with usernames is enabled.
I have the following users registered:
Alice, with email email@example.com and username “Alice”
Bob, with email firstname.lastname@example.org and username “Bob”
When I try to login multiple times with username “contact” and an random password, both accounts of Alice and Bob are blocked for too many login attempts, even tough “contact” is neither of their usernames.
This is even possible when login with usernames is disabled.
If “contact” is given as username and a correct password for either one of the two accounts is given, no access is granted.
I tried to login with the following command, but it also should work with the Universal Login also make sure that Brute Force Protection is enabled:
curl --request POST --url 'https://DOMAIN.auth0.com/oauth/token' --header 'content-type: application/x-www-form-urlencoded' --data grant_type=http://auth0.com/oauth/grant-type/password-realm --data username=contact --data password=password --data client_id=CLIENT_ID --data realm=Username-Password-Authentication