Using resource owner password from the server side
Server-side applications can use the Resource Owner Password Grant to access an API. The flow typically involves prompting the user for username and password as credentials which your server will submit to Auth0 to get an Access Token. When using this flow from server side, some anomaly detection features might fail because of the particularities of this scenario. This document details how to use Resource Owner Password Grant flow from server side preventing some common issues.
Before you continue, make sure to have brute force protection enabled from your dashboard.
Your server prompts the user for credentials (such as username and password). This could be achieved in many different ways, for example via a browser UI or providing an API.
The user enters credentials and the client-side application submits them to a backend server under your control.
Your server submits the credentials to Auth0 using the Resource Owner Password Grant flow.
Auth0 validates the credentials and returns an Access Token. As part of the validation process Auth0 might also execute anomaly-detection verifications and perform appropriate actions if an anomaly is detected.
Brute-force protection and server-side APIs
Brute-force protection relies on having the original user's IP. When calling the API from your server, Auth0 treats the IP of your server as the IP of the end user, and uses it as input for the anomaly-detection functionality, in particular, for brute-force protection. This situation could potentially trigger false positives into the brute-force protection shields, causing it to block users or trigger warnings for legitimate requests.
To prevent this, you may send the end-user's IP address to Auth0 along with the credentials and configure the application to trust the provided IP. Because of security considerations, this configuration is only possible for Authenticated applications (such as those with authentication based on a client secret).
Configuring the Auth0 Application to receive and trust the IP sent by your server
Navigate to your dashboard and configure a regular web application or machine to machine application.
Choose a Token Endpoint Authentication Method other than
Noneunder the Settings section.
Scroll to the bottom and click Show Advanced Settings.
Switch on Trust Token Endpoint IP Header under the OAuth tab to configure the application to trust the IP sent from your server.
Sending the end-user IP from your server
To send the end-user IP from your server, include a
auth0-forwarded-for header with the value of the end-user IP address. If the
auth0-forwarded-for header is marked as trusted, as explained above, Auth0 will use it as the source IP for brute-force protection. It is important to make sure the provided IP address really belongs to your end user.
When using the resource owner password grant from your webserver with brute-force protection enabled, you could specify a whitelist of IPs that will not be considered when triggering brute-force protection. Both the
auth0-forwarded-for IP address and the IP address of the proxy server will be taken into account for IP address whitelists.