I think I know the answer to this but wanted to confirm this is expected and not a bug of any sort (I think it is expected).
Sort version, our site uses SSO. The primary website controls registration and authorizes an account in Discourse over SSO. Now, we’ve made sure that we pass forward the user’s IP address in our setup and we can confirm that by looking at each user’s Admin page, however, when we add an IP address to the Blocked list in Screened IPs, it doesn’t block future attempts to create/authorize an account.
My guess is SSO bypasses that check, is that a correct statement, and is that the expected outcome?
Backstory:
The reason why I ask, is our moderation team is doing extra work right now ensuring IP addresses get added to the blocked list for accounts that are extremely disruptive/abusive and have noticed it doesn’t seem to make a difference. So with that said, they are wanting me to investigate if they need to continue doing those steps or can just ignore them (in case the screened ip list serves no purpose to SSO setups).
If sso is controlling who logs in to your site then discourse doesn’t and can’t. I’m pretty sure that there is no benefit in blocking ip on the discourse side since another server controls logins.
I just tested this on my own site. After adding my IP Address to the Screened IPs list and setting its action to “Block”, users are not able to create new accounts from that IP address when logging in via SSO. This is by design. You can see where it happens in the code here: discourse/app/controllers/session_controller.rb at main · discourse/discourse · GitHub.
Interesting… as we definitely have a recent account who’s registration IP was blocked on August 20th, but they successfully created an account on September 15th.
Edited:
But then I also found this in the logs so it seems to work occassionally?
Verbose SSO log: IP address is blocked [ip_address_redacted]
add_groups:
admin:
moderator:
avatar_force_update:
...
Ah, I think I see what is going on. We have a custom SSO field named registration IP, and that clearly shows the blocked IP address, but the Last IP listed in Discourse is different, my guess, and its purely a guess which might explain VPN usage, but how our registration field got the blocked address and Discourse got a different one is unknown to me.