Jay's blog

Block Users In Auth0 From The Command Line

Original art, one of the Blockheads from Gumby

As previously established, I use Auth0 at work. Whenever a client decides not to renew their contract, which I'm thankful is an uncommon event1, I have to collect each user's email address from our application, search for their account in the Auth0 web app, and block each user.2 It's a tedious process.

I've only had to do this process once so far. But being a developer, I immediately wanted to automate this process with a shell script. With Auth0's web app, it takes a copy/paste and 4 clicks per user I'm blocking. That's unacceptable. After the first half-dozen users, my eyes lose focus and my mind starts to wander. And that's when the odds I'll make a mistake spike.

This was the push I needed to finally install Auth0's command line tool, auth0-cli.

After authenticating with auth0 login, the first step will be finding the user's ID based on their email address.

auth0 users search -q email:"user1@example.com"

Most commands in auth0-cli have a --json option to print their output in JSON format, which will make it easy to grab what I need by piping the output to jq.

With some error handling in case I receive anything besides exactly one result from my query, I'll have the user's ID. Using that, I should be able to block the user by... uh....

Let's see.... I can delete users using auth0 users delete, but as I mentioned before, that's not application in my case. I can "view" blocks3 on particular users via auth0 users blocks list, and I can unblock users with auth0 users blocks unblock.

Wait, what!? There doesn't seem to be any way to block a user via auth0-cli. How can that be? Isn't this one of the most common use cases for the tool?

If auth0-cli isn't up to the task, what are my options? I could script my browser, but that's awfully heavy-handed for a service that has an API. I could use the official Auth0 management API either via curl or a package in my favorite programming language. But this is actually really inconvenient compared to using auth0-cli, specifically because of authentication.

With auth0-cli, I'm authenticated via my personal Auth0 management user account. It's no harder and no different from signing into the Auth0 management web app. If I wanted to use the Auth0 management API via other means, I'd have to use an ID/secret pair from an "application" (in Auth0's parlance). I could use the production creds our app uses, but that would be horrendous opsec.

I could create a temporary "application" to run this script and then delete it when I'm done. That's pretty inconvenient, though. If my shell script turns out well, I'd like to be able to share it with my coworkers in case they ever need to perform this kind of task.

If I felt like building a Rube Goldberg machine, maybe I could script the creation of a temporary "application" using auth0-cli and delete it when the script is done....

Ugh. Feels Bad, Man™. I ended up just doing the task manually. It was going to take more time to automate this than to do it by hand.4

Afterwards, I made a feature request for the ability to block users using the command line tool. Ewan Harris, a developer at Auth0, left a very helpful reply that pointed out a feature of the command line tool that I completely overlooked: auth0 api.

The auth0 api command is essentially a passthrough that lets you call the management REST API directly using the credentials auth0-cli already has, contrasting the limited porcelain the tool provides. In other words, it's exactly what I was looking for! According to Ewan Harris, this would do the trick: auth0 api patch "users/<user_id>" --data "{\"blocked\":true}".

This is usually where I'd share a neat little shell script you can use to do this task. However, I haven't had occasion to need it. If that day comes, I'll write a shell script that takes a list of email addresses and blocks their user accounts. I'll try to share it here. In the meantime, you should have all the tools you need to do it yourself using auth0-cli and jq.

  1. Hi, HR! Thanks for reading! ✌️😜

  2. This is for the "why don't you just..." crowd. This is about a proprietary application owned by my employer, so I can't go into detail. But trust me that I can't delete the Auth0 accounts, and there's no in-application flag I can set to block a user at the moment.

  3. TIL there's more to blocking users in Auth0 than blocking them by hand like I'm doing. Apparently there are Auth0 features for automatically blocking new users who exhibit bot-like behavior. This was news to me as my employer's application is a fairly niche web app for medical clinics. We're not seeing nearly enough traffic to be subject to scripted sign-ups.

  4. https://xkcd.com/1205/