Add rate limiting and cache for m2m token authentication endpoints

Feedback
,
48

Summary of this issue:

  • Auth0 sells a solution which offers no protection against (possibly external) developers from generating unlimited (?) costs on your account.
  • Only possible solution is to implement custom code around Auth0, negating the key value of SAAS.
  • Auth0 expected a solution in Q4 2023, then in Q2 2024, now… ?
  • Best practice solution is to move away from Auth0.

@konrad.sopala I would like to point out that this is not just nice-to-have, it’s a make-or-break issue, the lack of which - as you can read in various threads - is pushing customers away from your platform.

2 Likes
49

Hi @support! I see that both @konrad.sopala and @dan.woda hasn’t been seen in this forum for several months, so I figured out that one of you might post an update on the status here. The last posted target date here is Q2 2024, which we’re in right now. Any news on this?

1 Like
50

Hi all, apologize for the delayed response here:

Limit M2M Usage Per Client has been moved from Q2 2024 to Q4 2024 - I unfortunately don’t have an update with regards to caching.

We appreciate your patience and understanding.

51

Just checkin in to ask if this is still on track for Q4 @tyf ? The risk of lazy integration partners racking up M2M token charges is a huge issue.

52

Hello @tyf, any updates on this subject?
Could we at least know if the target date Q4 2024 will be met?

Thanks

53

I had to undo work I had put into using M2M tokens in actions because the cache is so short lived that I quickly ran into my account’s token retrieval limits. I’m now implementing a workaround utilizing AWS Secrets Manager which is disappointing because I’m tying in another piece of infrastructure/security layer for something that could be solved had Auth0 had a longer cache time for actions.