Client based rate limits not enforced

mathieuv · June 22, 2021, 8:24am

Context: We use the signin widget in a react SPA, although we observe the same issue when using the okta hosted login page.

We noticed that the rate limit in place when calling the /authn endpoint to initiate login was set to 500. After checking the documentation (Client-based rate limits | Okta Developer), we checked our organization’s settings and noticed the “Enforce and log per client (recommended)” option wasn’t used, so we switched to it. This should enforce a rate limit of 60 requests per minute.

However, even after switching to it, we didn’t notice any changes in rate limit in the headers (it is still at 500). Does anyone have a clue why the rate limit isn’t being enforced?

okra-okta · June 22, 2021, 5:55pm

I don’t believe the /authn endpoint falls under client-based rate limit.

Currently, a client-based rate limit only applies to an authorization server’s /authorize or /login/login.htm endpoint.

mathieuv · June 24, 2021, 9:02am

Thanks for the answer! This spawns other questions for me but I’ll ask them in a separate thread.

system · June 25, 2021, 9:02am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
How to enforce Client-Based Rate Limiting for OAuth Service Clients (Client Credentials Grant) in Okta? OAuth/OIDC	3	1823	February 15, 2024
REST API rate limit Questions	3	3204	December 3, 2021
Clarification on rate limits API	2	2134	November 22, 2022
Per-user limits change API	2	2235	December 2, 2022
Web test/scalability test with okta best practices Questions	2	4640	February 19, 2019

Client based rate limits not enforced

Related topics