All of the authentication related endpoints ( authn, oauth2/token ) has the shared rate limit quota. When there’s flooding requests to those API ( even with unauthenticated requests ), the quota will be consumed and soon ended with service unavailability until the next quota reset
This attack seems to be easily achievable with some scripting or tools. The question is what is the best strategy to defend against this kind of attack ? IP blocklisting might be helpful but it will require explicit manual configuration.