Okta has a 4 calls per second user rate limit on obtaining / refreshing access tokens. E.g. the same user ID cannot exceed 4 calls a second to obtain a new access token.
The user rate limit does not currently apply to converting a refresh token to an access token. For a variety of reasons, we have issues being rate limited on our back-end systems using access tokens for authentication in system-to-system integrations.
We are looking at changing the code to get a refresh token and then using it to obtain an access token as one way to work-around this. However, I’m not entirely sure this is a good idea due to a couple of issues:
a) the length of time the refresh token is active is typically very long
b) the length of time the refresh token is active is not easily available, as it is configured within Okta
c) this may be a hole in Okta’s rate limit implementation and could be closed in the future.
Does anyone have thoughts on this, especially with regards to adding this flow to the current user rate limitations?