Client based rate limits not enforced

Context: We use the signin widget in a react SPA, although we observe the same issue when using the okta hosted login page.

We noticed that the rate limit in place when calling the /authn endpoint to initiate login was set to 500. After checking the documentation (Client-based rate limits | Okta Developer), we checked our organization’s settings and noticed the “Enforce and log per client (recommended)” option wasn’t used, so we switched to it. This should enforce a rate limit of 60 requests per minute.

However, even after switching to it, we didn’t notice any changes in rate limit in the headers (it is still at 500). Does anyone have a clue why the rate limit isn’t being enforced?

image

I don’t believe the /authn endpoint falls under client-based rate limit.

Currently, a client-based rate limit only applies to an authorization server’s /authorize or /login/login.htm endpoint.

https://developer.okta.com/docs/reference/rl-clientbased/#frequently-asked-questions

Thanks for the answer! This spawns other questions for me but I’ll ask them in a separate thread.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.