Country-Based Access Control

Published on August 23, 2022
Learning GoalLearn how to restrict access to your applications by country using Auth0 Actions.

In this lab, you will:

  • Configure a no-code Auth0 Action from the Auth0 Marketplace.
  • Integrate a no-code Auth0 Action with your Login flow.
  • Test access restrictions based on user location.

Why Use Country-Based Access Control?

There are different reasons you may need to implement country-based access controls to your applications. For example, your organization may need to comply with unique restrictions based on its business locations.

You can define countries from which you are required to restrict persons and entities from logging in to your applications using an Auth0 Action.

Actions are functions that execute at certain points during the Auth0 runtime, such as when a user signs up or logs in. For country-based access control, your Action can define a list of restricted countries based on your business needs, and Auth0 will automatically block logins that originate from IP addresses in those countries.

Be aware that anyone can use a VPN to bypass country-based access control that relies on IP addresses.

You should see this Action-based strategy as a tool to help you reduce the likelihood of someone accessing your applications from countries where your services should not be accessed. However, your organization will need to explore other tools and strategies to provide more comprehensive access control, which is beyond the scope of this lab.

Nonetheless, this Action is a solid example of how to quickly provide business value with a no-code solution from Auth0.

Lab Setup

Create an Auth0 Account

If you already have an Auth0 account, you can log in to your tenant and continue to the next step.

Otherwise, sign up for a free Auth0 account.

During the sign-up process, you create something called an Auth0 Tenant, representing the product or service to which you are adding authentication.

Once you sign in, Auth0 takes you to the Auth0 Dashboard, where you can configure and manage the authentication services for your applications.

Configure a Pre-Built Action

It would be best for you to use a non-production tenant where you are comfortable trying new features.

Ensure that you are still logged in to the Auth0 Dashboard and follow these steps:

  • Visit the Auth0 Marketplace to access the pre-built "Country-based Access" Action.

  • Click the "Add Integration" button from the "Country-based Access" page, which is right below the Auth0 logo.

  • The "Select a Tenant" page loads up.

  • Select the Auth0 tenant you created or any existing ones.

  • A page loads with a list of the permissions (or access requirements) that the Country-based Access Action needs to fully integrate with your tenant. Click the "Continue" button.

What are these Action permissions about?

The "Country-based Access" Action asks for the following permissions:

  • Read and share user profile information.
  • Accept login requests from Country-based Access.
  • Receive and store user identities.
  • Receive and update users.
  • Deny login requests.
  • Update user profile information.

Rest assured that these are the minimal permissions that this Action (built by Auth0) needs to provide you with its functionality.

  • The "Configuration" page loads up where you can set up your Action by providing the following input:

    • "Country Codes To Block": Enter the code for the country from where you are connecting to the internet:
      • 🇦🇺 Australia: AU
      • 🏴󠁧󠁢󠁥󠁮󠁧󠁿 England: GB
      • 🇩🇪 Germany: DE
      • 🇺🇸 United States: US
    • "Apply US Export Controls": Use the default value, "No".
    • "Custom Error Description": Use the default value, "Access denied from your location".
  • With all set up, click the "Create" button.

  • The "Library" page loads up, where you can manage your Auth0 actions and configuration.

You have configured and added a pre-built Auth0 action to your Actions Library.
You can see the complete list of "ISO 3166 Country Codes".
The "Apply US Export Controls" option allows your application to block access quickly and automatically for regions restricted under US export controls laws and regulations.

Integrate a Pre-Built Action

Follow these steps to integrate the pre-built Action with your Login Flow:

  • Locate your "Country-based Access" Action under the "Installed" tab of the Actions library.
  • Click the "..." button at the end of the Action block.
  • Select "Add to flow" from the options.
  • Drag and drop the "Country-based Access" block between the "Start" and "Complete" event icons on the Flow board, which is located to the left.
If you completed the "Enrich User Profiles" Action lab, place the "Country-based Access" block before the "Profile Enrichment" one. However, even if you placed it afterward, Auth0 will not save any user metadata if the authentication pipeline fails, which will happen if you attempt to log in from a blocked country.
  • Click the "Apply" button to make this Login pipeline effective.
You will get a toast notification with the following message: "Login flow updated".

How does this Action work?

Once this Action integration is in effect, it inspects the geolocation of all login traffic. It denies access to end-users from one of the blocked countries or regions. When denying access, this integration will redirect back to the application with these attributes:

  • error is set to access_denied.
  • error_description is set to "Access denied from your location" or to any custom message you specified.

Caveats

If Auth0 can't resolve any geolocation information for an IP address, the Action won't be able to block the login attempt.

Additionally, Auth0 keeps its geolocation database up-to-date; however, geolocation information can be inaccurate for a short time after IP range allocations are updated.

Test the Country-Based Access Control

Use the Auth0 Dashboard to log in

Instructions

  • Visit the Auth0 Dashboard home page.
  • Locate the "Try your Login box" under the "Next Steps" section.
  • Click the "Try it out" link.
  • Log in using any of the available login options.

Expected results

  • Auth0 redirects you to a callback page, /tester/callback, where you see an error message on the screen: "Bummer! Something failed".
  • The page displays a JSON object with the details of the error:
{
"error": "access_denied",
"error_description": "Access denied from your location"
}

Recap

You have learned how to reduce the likelihood of someone logging in from a country based on the user's IP address. Remember that this is a lightweight mitigation layer that a VPN can easily bypass. However, this is still a good example of the no-code solutions available for developers to integrate key business functionality into their applications with just a few clicks.

Explore many other pre-built Actions available in the Auth0 Marketplace. You can find integrations that cover uses cases related to consent management, identity proofing, decentralized identity, and much more.