auth0 4.4.0 → 5.1.2

data/lib/auth0/api/authentication_endpoints.rb

@@ -1,314 +1,276 @@
+# frozen_string_literal: true
 # rubocop:disable Metrics/ModuleLength
+
+require 'jwt'
+
 module Auth0
   module Api
-    # {https://auth0.com/docs/auth-api}
-    # Methods to use the authentication endpoints
+    # {https://auth0.com/docs/api/authentication}
+    # Methods to use the Authentication API
     module AuthenticationEndpoints
       UP_AUTH = 'Username-Password-Authentication'.freeze
       JWT_BEARER = 'urn:ietf:params:oauth:grant-type:jwt-bearer'.freeze
 
-      # Retrives an access token
-      # @see https://auth0.com/docs/auth-api#!#post--oauth-access_token
-      # @param access_token [string] Social provider's access_token
-      # @param connection [string] Currently, this endpoint only works for Facebook, Google, Twitter and Weibo
-      # @return [json] Returns the access token
-      def obtain_access_token(access_token = nil, connection = 'facebook', scope = 'openid')
-        if access_token
-          request_params = { client_id: @client_id, access_token: access_token, connection: connection, scope: scope }
-          post('/oauth/access_token', request_params)['access_token']
-        else
-          request_params = { client_id: @client_id, client_secret: @client_secret, grant_type: 'client_credentials' }
-          post('/oauth/token', request_params)['access_token']
-        end
+      # Request an API access token using a Client Credentials grant
+      # @see https://auth0.com/docs/api-auth/tutorials/client-credentials
+      # @param audience [string] API audience to use
+      # @param organization [string] Organization ID
+      # @return [json] Returns the API token
+      def api_token(
+        client_id: @client_id,
+        client_secret: @client_secret,
+        organization: @organization,
+        audience: nil
+      )
+
+        request_params = {
+          grant_type: 'client_credentials',
+          client_id: client_id,
+          client_secret: client_secret,
+          audience: audience,
+          organization: organization
+        }
+
+        response = post('/oauth/token', request_params)
+        ::Auth0::ApiToken.new(response['access_token'], response['scope'], response['expires_in'])
       end
 
-      # Gets the user tokens using the code obtained through passive authentication in the specified connection
-      # @see https://auth0.com/docs/auth-api#!#post--oauth-access_token
-      # @param connection [string] Currently, this endpoint only works for Facebook, Google, Twitter and Weibo
-      # @param scope [string] Defaults to openid. Can be 'openid name email', 'openid offline_access'
-      # @param redirect_uri [string] Url to redirect after authorization
-      # @param redirect_uri [string] The access code obtained through passive authentication
-      # @return [json] Returns the access_token and id_token
-      def obtain_user_tokens(code, redirect_uri, connection = 'facebook', scope = 'openid')
-        raise Auth0::InvalidParameter, 'Must supply a valid code' if code.to_s.empty?
-        raise Auth0::InvalidParameter, 'Must supply a valid redirect_uri' if redirect_uri.to_s.empty?
+      # Get access and ID tokens using an Authorization Code.
+      # @see https://auth0.com/docs/api/authentication#authorization-code
+      # @param code [string] The authentication code obtained from /authorize
+      # @param redirect_uri [string] URL to redirect to after authorization.
+      #   Required only if it was set at the GET /authorize endpoint
+      # @param client_id [string] Client ID for the Application
+      # @param client_secret [string] Client Secret for the Application.
+      # @return [Auth0::AccessToken] Returns the access_token and id_token
+      def exchange_auth_code_for_tokens(
+        code,
+        redirect_uri: nil,
+        client_id: @client_id,
+        client_secret: @client_secret
+      )
+        raise Auth0::InvalidParameter, 'Must provide an authorization code' if code.to_s.empty?
+
         request_params = {
-          client_id:     @client_id,
-          client_secret: @client_secret,
-          connection:    connection,
-          grant_type:    'authorization_code',
-          code:          code,
-          scope:         scope,
-          redirect_uri:  redirect_uri
+          grant_type: 'authorization_code',
+          client_id: client_id,
+          client_secret: client_secret,
+          code: code,
+          redirect_uri: redirect_uri
         }
-        post('/oauth/token', request_params)
+        ::Auth0::AccessToken.from_response post('/oauth/token', request_params)
       end
 
-      # Logins using username/password
-      # @see https://auth0.com/docs/auth-api#!#post--oauth-ro
-      # @param username [string] Username
-      # @param password [string] User's password
-      # @param scope [string] Defaults to openid. Can be 'openid name email', 'openid offline_access'
-      # @param id_token [string] Token's id
-      # @param connection_name [string] Connection name. Works for database connections, passwordless connections,
-      # Active Directory/LDAP, Windows Azure AD and ADF
-      # @return [json] Returns the access token and id token
-      def login(username, password, id_token = nil, connection_name = UP_AUTH, options = {})
-        raise Auth0::InvalidParameter, 'Must supply a valid username' if username.to_s.empty?
-        raise Auth0::InvalidParameter, 'Must supply a valid password' if password.to_s.empty?
+      # Get access and ID tokens using a refresh token.
+      # @see https://auth0.com/docs/api/authentication#refresh-token
+      # @param refresh_token [string] Refresh token to use. Request this with
+      #   the offline_access scope when logging in.
+      # @param client_id [string] Client ID for the Application
+      # @param client_secret [string] Client Secret for the Application.
+      #   Required when the Application's Token Endpoint Authentication Method
+      #   is Post or Basic.
+      # @return [Auth0::AccessToken] Returns tokens allowed in the refresh_token
+      def exchange_refresh_token(
+        refresh_token,
+        client_id: @client_id,
+        client_secret: @client_secret
+      )
+        raise Auth0::InvalidParameter, 'Must provide a refresh token' if refresh_token.to_s.empty?
+
         request_params = {
-          client_id:     @client_id,
-          client_secret: @client_secret,
-          username:      username,
-          password:      password,
-          scope:         options.fetch(:scope, 'openid'),
-          connection:    connection_name,
-          grant_type:    options.fetch(:grant_type, password),
-          id_token:      id_token,
-          device:        options.fetch(:device, nil)
+          grant_type: 'refresh_token',
+          client_id: client_id,
+          client_secret: client_secret,
+          refresh_token: refresh_token
         }
-        post('/oauth/token', request_params)
+        ::Auth0::AccessToken.from_response post('/oauth/token', request_params)
       end
 
-      # Signup using username/password
-      # @see https://auth0.com/docs/auth-api#!#post--dbconnections-signup
-      # @param email [string] User email
-      # @param password [string] User's password
-      # @param connection_name [string] Connection name. Works for database connections.
+      # rubocop:disable Metrics/ParameterLists
+      # Get access and ID tokens using Resource Owner Password.
+      # Requires that your tenant has a Default Audience or Default Directory.
+      # @see https://auth0.com/docs/api/authentication#resource-owner-password
+      # @param login_name [string] Email or username for the connection
+      # @param password [string] Password
+      # @param client_id [string] Client ID from Application settings
+      # @param client_secret [string] Client Secret from Application settings
+      # @param realm [string] Specific realm to authenticate against
+      # @param audience [string] API audience
+      # @param scope [string] Scope(s) requested
+      #   - Include an audience (above) for API access scopes
+      #   - Use the default "openid" for userinfo calls
+      # @return [json] Returns the access_token and id_token
+      def login_with_resource_owner(
+        login_name,
+        password,
+        client_id: @client_id,
+        client_secret: @client_secret,
+        realm: nil,
+        audience: nil,
+        scope: 'openid'
+      )
+
+        raise Auth0::InvalidParameter, 'Must supply a valid login_name' if login_name.empty?
+        raise Auth0::InvalidParameter, 'Must supply a valid password' if password.empty?
+
+        request_params = {
+          username: login_name,
+          password: password,
+          client_id: client_id,
+          client_secret: client_secret,
+          realm: realm,
+          scope: scope,
+          audience: audience,
+          grant_type: realm ? 'http://auth0.com/oauth/grant-type/password-realm' : 'password'
+        }
+        ::Auth0::AccessToken.from_response post('/oauth/token', request_params)
+      end
+      # rubocop:enable Metrics/ParameterLists
+
+      # Sign up with a database connection using a username and password.
+      # @see https://auth0.com/docs/api/authentication#signup
+      # @param email [string] New user's email
+      # @param password [string] New user's password
+      # @param connection_name [string] Database connection name
       # @return [json] Returns the created user
       def signup(email, password, connection_name = UP_AUTH)
         raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?
         raise Auth0::InvalidParameter, 'Must supply a valid password' if password.to_s.empty?
+
         request_params = {
-          client_id:  @client_id,
-          email:      email,
+          email: email,
+          password: password,
           connection: connection_name,
-          password:   password
+          client_id: @client_id
         }
         post('/dbconnections/signup', request_params)
       end
 
-      # Asks to change a password for a given user.
-      # Send an email to the user.
-      # @see https://auth0.com/docs/auth-api#!#post--dbconnections-change_password
-      # @param email [string] User email
-      # @param password [string] User's new password
-      # @param connection_name [string] Connection name. Works for database connections.
+      # Change a user's password or trigger a password reset email.
+      # @see https://auth0.com/docs/api/authentication#change-password
+      # @see https://auth0.com/docs/connections/database/password-change
+      # @param email [string] User's current email
+      # @param password [string] User's new password; empty to trigger a
+      #   password reset email
+      # @param connection_name [string] Database connection name
       def change_password(email, password, connection_name = UP_AUTH)
         raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?
+
         request_params = {
-          client_id:  @client_id,
-          email:      email,
+          email: email,
+          password: password,
           connection: connection_name,
-          password:   password
+          client_id: @client_id
         }
         post('/dbconnections/change_password', request_params)
       end
 
-      # Start passwordless workflow sending an email
-      # @see https://auth0.com/docs/auth-api#!#post--with_email
-      # @param email [string] User email
-      # @param send [string] Defaults to 'link'. Can be 'code'. You can then authenticate with this user opening the link
-      # @param auth_params [hash] Append/override parameters to the link (like scope, redirect_uri, protocol, etc.)
+      # Start Passwordless email login flow.
+      # @see https://auth0.com/docs/api/authentication#get-code-or-link
+      # @see https://auth0.com/docs/connections/passwordless#passwordless-on-regular-web-apps
+      # @param email [string] Email to send a link or code
+      # @param send [string] Pass 'link' to send a magic link, 'code' to send a code
+      # @param auth_params [hash] Append or override the magic link parameters
       def start_passwordless_email_flow(email, send = 'link', auth_params = {})
         raise Auth0::InvalidParameter, 'Must supply a valid email' if email.to_s.empty?
+
         request_params = {
-          client_id:   @client_id,
-          connection:  'email',
-          email:       email,
-          send:        send,
-          authParams:  auth_params
+          email: email,
+          send: send,
+          authParams: auth_params,
+          connection: 'email',
+          client_id: @client_id,
+          client_secret: @client_secret
         }
         post('/passwordless/start', request_params)
       end
 
-      # Start passwordless workflow sending a SMS message
-      # @see https://auth0.com/docs/auth-api#!#post--with_sms
+      # Start Passwordless SMS login flow.
+      # @see https://auth0.com/docs/api/authentication#get-code-or-link
+      # @see https://auth0.com/docs/connections/passwordless#passwordless-on-regular-web-apps
       # @param phone_number [string] User's phone number.
       def start_passwordless_sms_flow(phone_number)
         raise Auth0::InvalidParameter, 'Must supply a valid phone number' if phone_number.to_s.empty?
-        request_params = {
-          client_id:    @client_id,
-          connection:   'sms',
-          phone_number: phone_number
-        }
-        post('/passwordless/start', request_params)
-      end
 
-      # Logins using phone number/verification code.
-      # @see https://auth0.com/docs/auth-api#!#post--ro_with_sms
-      # @param phone_number [string] User's phone number.
-      # @param code [string] Verification code.
-      # @return [json] Returns the access token and id token
-      def phone_login(phone_number, code, scope = 'openid')
-        raise Auth0::InvalidParameter, 'Must supply a valid phone number' if phone_number.to_s.empty?
-        raise Auth0::InvalidParameter, 'Must supply a valid code' if code.to_s.empty?
         request_params = {
-          client_id:  @client_id,
-          username:   phone_number,
-          password:   code,
-          scope:      scope,
+          phone_number: phone_number,
           connection: 'sms',
-          grant_type: 'password'
+          client_id: @client_id,
+          client_secret: @client_secret
         }
-        post('/oauth/ro', request_params)
+        post('/passwordless/start', request_params)
       end
 
-      # Retrives the SAML 2.0 metadata
-      # @see https://auth0.com/docs/auth-api#!#get--samlp--client_id-
+      # Retrive SAML 2.0 metadata XML for an Application.
+      # @see https://auth0.com/docs/api/authentication#get-metadata
       # @return [xml] SAML 2.0 metadata
       def saml_metadata
         get("/samlp/metadata/#{@client_id}")
       end
 
-      # Retrives the WS-Federation metadata
-      # @see https://auth0.com/docs/auth-api#!#get--wsfed--client_id-
-      # @return [xml] Federation Metadata
+      # Retrieve WS-Federation metadata XML for a tenant.
+      # @see https://auth0.com/docs/api/authentication#get-metadata36
+      # @return [xml] WS-Federation metadata
       def wsfed_metadata
         get('/wsfed/FederationMetadata/2007-06/FederationMetadata.xml')
       end
 
-      # Validates a JSON Web Token (signature and expiration)
-      # @see https://auth0.com/docs/auth-api#!#post--tokeninfo
-      # @param id_token [string] Token's id.
-      # @return User information associated with the user id (sub property) of the token.
-      def token_info(id_token)
-        raise Auth0::InvalidParameter, 'Must supply a valid id_token' if id_token.to_s.empty?
-        request_params = { id_token: id_token }
-        post('/tokeninfo', request_params)
-      end
-
-      # Refreshes a delegation token
-      # @see https://auth0.com/docs/auth-api#!#post--delegation
-      # @param refresh_token [string] Token to refresh
-      # @param target [string] Target to sign the new token.
-      # @param scope [string] Defaults to openid. Can be 'openid name email'.
-      # @param api_type [string] Defaults to app. Can be aws, azure_sb, azure_blob, firebase, layer, salesforce_api,
-      #  salesforce_sandbox_api, sap_api or wams
-      # @param extra_parameters [hash] Extra parameters.
-      # @return [json] Returns the refreshed delegation token
-      def refresh_delegation(refresh_token, target, scope = 'openid', api_type = 'app', extra_parameters = {})
-        raise Auth0::InvalidParameter, 'Must supply a valid token to refresh' if refresh_token.to_s.empty?
-        request_params = {
-          client_id:      @client_id,
-          grant_type:     JWT_BEARER,
-          refresh_token:  refresh_token,
-          target:         target,
-          api_type:       api_type,
-          scope:          scope
-        }.merge(extra_parameters)
-        post('/delegation', request_params)
-      end
-
-      # Retrives a delegation token
-      # @see https://auth0.com/docs/auth-api#!#post--delegation
-      # @param id_token [string] Token's id.
-      # @param target [string] Target to sign the new token.
-      # @param scope [string] Defaults to openid. Can be 'openid name email'.
-      # @param api_type [string] Defaults to app. Can be aws, azure_sb, azure_blob, firebase, layer, salesforce_api,
-      #  salesforce_sandbox_api, sap_api or wams
-      # @param extra_parameters [hash] Extra parameters.
-      # @return [json] Returns the refreshed delegation token
-      def delegation(id_token, target, scope = 'openid', api_type = 'app', extra_parameters = {})
-        raise Auth0::InvalidParameter, 'Must supply a valid id_token' if id_token.to_s.empty?
-        request_params = {
-          client_id:  @client_id,
-          grant_type: JWT_BEARER,
-          id_token:   id_token,
-          target:     target,
-          api_type:   api_type,
-          scope:      scope
-        }.merge(extra_parameters)
-        post('/delegation', request_params)
-      end
-
-      # Retrives an impersonation URL to login as another user
-      # @see https://auth0.com/docs/auth-api#!#post--users--user_id--impersonate
-      # @param user_id [string] Impersonate user id
-      # @param app_client_id [string] Application client id
-      # @param impersonator_id [string] Impersonator user id id.
-      # @param options [string] Additional Parameters
-      # @return [string] Impersonation URL
-      # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
-      def impersonate(user_id, app_client_id, impersonator_id, options)
-        raise Auth0::InvalidParameter, 'Must supply a valid user_id' if user_id.to_s.empty?
-        raise Auth0::InvalidParameter, 'Must supply a valid app_client_id' if app_client_id.to_s.empty?
-        raise Auth0::InvalidParameter, 'Must supply a valid impersonator_id' if impersonator_id.to_s.empty?
-        raise Auth0::MissingParameter, 'Must supply client_secret' if @client_secret.nil?
-        authorization_header obtain_access_token
-        request_params = {
-          protocol:         options.fetch(:protocol, 'oauth2'),
-          impersonator_id:  impersonator_id,
-          client_id:        app_client_id,
-          additionalParameters: {
-            response_type:  options.fetch(:response_type, 'code'),
-            state:          options.fetch(:state, ''),
-            scope:          options.fetch(:scope, 'openid'),
-            callback_url:   options.fetch(:callback_url, '')
-          }
-        }
-        result = post("/users/#{user_id}/impersonate", request_params)
-        authorization_header @token
-        result
-      end
-
-      # Unlinks a User
-      # @see https://auth0.com/docs/auth-api#!#post--unlink
-      # @param access_token [string] Logged-in user access token
-      # @param user_id [string] User Id
-      def unlink_user(access_token, user_id)
-        raise Auth0::InvalidParameter, 'Must supply a valid access_token' if access_token.to_s.empty?
-        raise Auth0::InvalidParameter, 'Must supply a valid user_id' if user_id.to_s.empty?
-        request_params = {
-          access_token:  access_token,
-          user_id: user_id
-        }
-        post('/unlink', request_params)
-      end
-
-      # Returns the user information based on the Auth0 access token.
-      # @see https://auth0.com/docs/auth-api#!#get--userinfo
+      # Return the user information based on the Auth0 access token.
+      # @see https://auth0.com/docs/api/authentication#get-user-info
       # @return [json] User information based on the Auth0 access token
-      def user_info
-        get('/userinfo')
+      def userinfo(access_token)
+        get('/userinfo', {}, 'Authorization' => "Bearer #{access_token}")
       end
 
-      # Returns an authorization URL, triggers a redirect.
-      # @see https://auth0.com/docs/auth-api#!#get--authorize_social
-      # @param redirect_uri [string] Url to redirect after authorization
-      # @param options [hash] Can contain response_type, connection, state and additional_parameters.
+      # Return an authorization URL.
+      # @see https://auth0.com/docs/api/authentication#authorization-code-grant
+      # @param redirect_uri [string] URL to redirect after authorization
+      # @param options [hash] Can contain response_type, connection, state, organization, invitation, and additional_parameters.
       # @return [url] Authorization URL.
       def authorization_url(redirect_uri, options = {})
         raise Auth0::InvalidParameter, 'Must supply a valid redirect_uri' if redirect_uri.to_s.empty?
+
         request_params = {
           client_id: @client_id,
           response_type: options.fetch(:response_type, 'code'),
           connection: options.fetch(:connection, nil),
           redirect_uri: redirect_uri,
           state: options.fetch(:state, nil),
-          scope: options.fetch(:scope, nil)
+          scope: options.fetch(:scope, nil),
+          organization: options.fetch(:organization, @organization),
+          invitation: options.fetch(:invitation, nil)
         }.merge(options.fetch(:additional_parameters, {}))
 
         URI::HTTPS.build(host: @domain, path: '/authorize', query: to_query(request_params))
       end
 
-      # Returns an logout  URL, triggers the logout flow.
-      # @see https://auth0.com/docs/auth-api#!#get--logout
-      # @param return_to [string] Url to redirect after authorization
-      # @return [url] Logout URL.
-      def logout_url(return_to)
+      # Returns an Auth0 logout URL with a return URL.
+      # @see https://auth0.com/docs/api/authentication#logout
+      # @see https://auth0.com/docs/logout
+      # @param return_to [string] URL to redirect after logout.
+      # @param include_client [bool] Include the client_id in the logout URL.
+      # @param federated [boolean] Perform a federated logout.
+      # @return [url] Logout URI
+      def logout_url(return_to, include_client: false, federated: false)
         request_params = {
-          returnTo: return_to
+          returnTo: return_to,
+          client_id: include_client ? @client_id : nil,
+          federated: federated ? '1' : nil
         }
 
-        URI::HTTPS.build(host: @domain, path: '/logout', query: to_query(request_params))
+        URI::HTTPS.build(
+          host: @domain,
+          path: '/v2/logout',
+          query: to_query(request_params)
+        )
       end
 
-      # Returns a samlp URL. The SAML Request AssertionConsumerServiceURL will be used to POST back the assertion
-      # and it has to match with the application callback URL.
-      # @see https://auth0.com/docs/auth-api#get--samlp--client_id-
-      # @param connection [string] to login with a specific provider.
-      # @return [url] samlp URL.
+      # Return a SAMLP URL.
+      # The SAML Request AssertionConsumerServiceURL will be used to POST back
+      # the assertion and it must match with the application callback URL.
+      # @see https://auth0.com/docs/api/authentication#accept-request
+      # @param connection [string] Connection to use; empty to show all
+      # @return [url] SAMLP URL
       def samlp_url(connection = UP_AUTH)
         request_params = {
           connection: connection
@@ -316,22 +278,67 @@ module Auth0
         URI::HTTPS.build(host: @domain, path: "/samlp/#{@client_id}", query: to_query(request_params))
       end
 
-      # Returns a wsfed URL.
-      # @see https://auth0.com/docs/auth-api#get--wsfed--client_id-
-      # @param connection [string] to login with a specific provider.
-      # @return [url] wsfed URL.
-      def wsfed_url(connection = UP_AUTH)
+      # Return a WS-Federation URL.
+      # @see https://auth0.com/docs/api/authentication#accept-request35
+      # @param connection [string] Connection to use; empty to show all
+      # @param options [hash] Extra options; supports wtrealm, wctx, wreply
+      # @return [url] WS-Federation URL
+      def wsfed_url(connection = UP_AUTH, options = {})
         request_params = {
-          whr: connection
+          whr: connection,
+          wtrealm: options[:wtrealm],
+          wctx: options[:wctx],
+          wreply: options[:wreply]
         }
-        URI::HTTPS.build(host: @domain, path: "/wsfed/#{@client_id}", query: to_query(request_params))
+
+        url_client_id = @client_id unless request_params[:wtrealm]
+        URI::HTTPS.build(
+          host: @domain,
+          path: "/wsfed/#{url_client_id}",
+          query: to_query(request_params)
+        )
+      end
+
+      # Validate an ID token (signature and expiration).
+      # @see https://auth0.com/docs/tokens/guides/validate-id-tokens
+      # @param id_token [string] The JWT to validate.
+      # @param algorithm [JWKAlgorithm] The expected signing algorithm.
+
+      # @param leeway [integer] The clock skew to accept when verifying date related claims in seconds.
+      #   Must be a non-negative value. Defaults to *60 seconds*.
+      # @param nonce [string] The nonce value sent during authentication.
+      # @param max_age [integer] The max_age value sent during authentication.
+      #   Must be a non-negative value.
+      # @param issuer [string] The expected issuer claim value.
+      #   Defaults to +https://YOUR_AUTH0_DOMAIN/+.
+      # @param audience [string] The expected audience claim value.
+      #   Defaults to your *Auth0 Client ID*.
+      # @param organization [string] Organization ID
+      #   Defaults to your *Auth0 Organization ID*.
+      # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Metrics/ParameterLists
+      def validate_id_token(id_token, algorithm: nil, leeway: 60, nonce: nil, max_age: nil, issuer: nil, audience: nil, organization: @organization)
+        context = {
+          issuer: issuer || "https://#{@domain}/",
+          audience: audience || @client_id,
+          algorithm: algorithm || Auth0::Algorithm::RS256.jwks_url("https://#{@domain}/.well-known/jwks.json"),
+          leeway: leeway
+        }
+
+        context[:nonce] = nonce unless nonce.nil?
+        context[:max_age] = max_age unless max_age.nil?
+        context[:organization] = organization unless !organization
+
+        Auth0::Mixins::Validation::IdTokenValidator.new(context).validate(id_token)
       end
+      # rubocop:enable Metrics/MethodLength, Metrics/AbcSize, Metrics/ParameterLists
 
       private
 
+      # Build a URL query string from a hash.
       def to_query(hash)
-        hash.map { |k, v| "#{k}=#{URI.escape(v)}" unless v.nil? }.reject(&:nil?).join('&')
+        hash.map { |k, v| "#{k}=#{CGI.escape(v)}" unless v.nil? }.reject(&:nil?).join('&')
       end
     end
   end
 end
+# rubocop:enable Metrics/ModuleLength

data/lib/auth0/api/v2/anomaly.rb

@@ -0,0 +1,36 @@
+module Auth0
+  module Api
+    module V2
+      # Methods to use the anomaly endpoints
+      module Anomaly
+        # Use this route to determine if a given IP is currently blocked
+        # by the failed login to multiple user accounts trigger.
+        # @see https://auth0.com/docs/api/management/v2#!/Anomaly/get_ips_by_id
+        # @param ip [string] The IP to check.
+        def check_if_ip_is_blocked(ip)
+          raise Auth0::InvalidParameter, 'Must specify an IP' if ip.to_s.empty?
+
+          path = "#{anomaly_path}/#{ip}"
+          get(path)
+        end
+
+        # Resets an IP that is currently blocked by the failed login to multiple user accounts trigger.
+        # @see https://auth0.com/docs/api/management/v2#!/Anomaly/delete_ips_by_id
+        # @param ip [string] The IP to remove block.
+        def remove_ip_block(ip)
+          raise Auth0::InvalidParameter, 'Must specify an IP' if ip.to_s.empty?
+
+          path = "#{anomaly_path}/#{ip}"
+          delete(path)
+        end
+
+        private
+
+        # Anomaly API path
+        def anomaly_path
+          @anomaly_path ||= '/api/v2/anomaly/blocks/ips'
+        end
+      end
+    end
+  end
+end