Okta provides the capability to activate per-client rate limiting, which helps safeguard against a single client causing congestion on Okta’s /login/login.htm and OAuth 2.0 /authorize endpoints. You can find more information on this feature at Configure client-based rate limiting.
Now, we have a specific requirement related to OAuth Service Clients (Client Credentials Grant) . We need to implement rate limits for the access tokens they request. These OAuth service clients exclusively utilize the /token endpoint. What steps can we take to enforce client-based rate limiting for OAuth service clients employing the client credentials grant?
I don’t believe there is a way to setup Client-Based RL for the /token endpoint, its RL would fall under,
For the Resource Owner Password Grant type the /token endpoint is limited to 4 per second.
This might be a good enhancement Request at ideas.okta.com to see if something similar could be done for the Client Credentials flow.
This issue is ongoing for our OAuth service clients (client credentials grant). We have tried several workarounds but it will be easier if Okta provides a way to limit access token requests.
If possible prioritize this feature request.
