Add rate limiting and cache for m2m token authentication endpoints

,

Feature: Provide a short title of your feature request/feedback.

Allow cache and rate limiting by client id for m2m token authentication endpoints.

Description: Give us some details about your feedback/feature request. Examples, screenshots, videos, etc. are helpful.

This is a similar ask related to Please provide a built-in solution to rate-limit and cache M2M authentication tokens - Auth0 Community

Use-case: Tell us what you are building. How would the feedback/feature improve your experience?

We use m2m tokens to allow our (B2B) clients to integrate with our APIs. However, it’s really hard to control their implementation.
It’s not uncommon that their server keeps calling auth0 asking for new m2m tokens that can lead to over-quota pretty easily.

Right now, we are adding another layer on top of auth0 to cache tokens that are still valid.

Hey there!

Thanks for creating this feedback card. Let’s see who else would be interested in such improvement!

I have exactly the same requirement.
This is crucial to avoid (our) customer misunderstandings and abuse.
An action that can alleviate this could also be a way to solve it

I ended up wrapping a thin layer of API that has a built-in cache around the token endpoints.

Hi there, can you share the details of how you did it?

@dayeye2006 I am interested in how you handled this issue. We are considering a similar solution. Did you end up caching your third-party clients tokens and also rate limiting their requests?

@konrad.sopala Are you able to provide an update on this request? Or suggestions for mitigating the concerns raised?

Roughly I am doing things like below:

def get_token(client_id, client_secret):
   cached_token = cache.get(client_id)
   if is_expire(cached_token):
      token = call_auth0(client_id, client_secret)
      cache.put(client_id, token)
   else:
      token = cached_token
   return token

cc @fpmoraes

@dayeye2006 Nice job, Can we do that in auth0 hook? We can’t really work by auth 0 M2M by this pricing model!

I have the same need!
Is there a way to cache on auth0 actions?

Not being able to cache M2M tokens or to rate-limit the generation of these tokens by application is a real show-stopper for us.

We wanted to open up our APIs to partners, but this is impossible in the current state. Within a few minutes, one single partner/customer can block the APIs for everyone else.

The two solutions that I see here, are:

  • Put a rate-limit on token generation by application, so that an M2M API consumer can only block himself, if generation is abused.
  • Implement a cache for generated tokens so that the API owners can control the generation through token lifetime.

What has been suggested in the past, is to use a Hook/Action to control the token generation or the cache. But this would need something like a redis openly available on the Internet to cache lifetimes, application IDs, etc. This is both a problem for high-availability and for security.

We would gladly pay more, but the upgraded account types only contain more tokens per month. So the problem would remain the same.

this has also been discussed a long time ago here:

This feature would be highly appreciated!

1 Like

If we have a solution where we use the REDIS cache and then throw an error when we hit the specific limit that we set. Does the token usage only increment on successful passes or does it count for each invocation of the API?