Auth0 sells a solution which offers no protection against (possibly external) developers from generating unlimited (?) costs on your account.
Only possible solution is to implement custom code around Auth0, negating the key value of SAAS.
Auth0 expected a solution in Q4 2023, then in Q2 2024, now… ?
Best practice solution is to move away from Auth0.
@konrad.sopala I would like to point out that this is not just nice-to-have, it’s a make-or-break issue, the lack of which - as you can read in various threads - is pushing customers away from your platform.
Hi @support! I see that both @konrad.sopala and @dan.woda hasn’t been seen in this forum for several months, so I figured out that one of you might post an update on the status here. The last posted target date here is Q2 2024, which we’re in right now. Any news on this?
I had to undo work I had put into using M2M tokens in actions because the cache is so short lived that I quickly ran into my account’s token retrieval limits. I’m now implementing a workaround utilizing AWS Secrets Manager which is disappointing because I’m tying in another piece of infrastructure/security layer for something that could be solved had Auth0 had a longer cache time for actions.
We are thinking of adding another layer on top, something like keycloak or duende identity server to mitigate auth0 token costs. We would still use auth0, but only for user authentication.
It would be nice if auth0 could provide some updates here. But it is what it is I guess
So apparently - end of Q1 2025 - still no official solution to this.
We’ve implemented the rate limiting as described elsewhere in community, but the inability to cache the token without building a wrapper around Auth0 (which has security implications, other than a massive complexity) is a really bad experience, for us and our clients.
For some reason I can’t add links, but I’m referring to a knowledge article called “Limit the Number of M2M Token Exchanges per Application”