Okta provides the capability to activate per-client rate limiting, which helps safeguard against a single client causing congestion on Okta’s /login/login.htm and OAuth 2.0 /authorize endpoints. You can find more information on this feature at Configure client-based rate limiting.
Now, we have a specific requirement related to OAuth Service Clients (Client Credentials Grant)
. We need to implement rate limits for the access tokens they request. These OAuth service clients exclusively utilize the /token
endpoint. What steps can we take to enforce client-based rate limiting for OAuth service clients employing the client credentials grant?
I don’t believe there is a way to setup Client-Based RL for the
/token endpoint, its RL would fall under,
For the Resource Owner Password Grant type the
/token endpoint is limited to 4 per second.
This might be a good enhancement Request at ideas.okta.com to see if something similar could be done for the Client Credentials flow.
Thanks @erik for your quick response.
I have submitted this feature request: https://ideas.okta.com/app/#/case/187066
This issue is ongoing for our OAuth service clients (client credentials grant). We have tried several workarounds but it will be easier if Okta provides a way to limit access token requests.
If possible prioritize this feature request.