Brute force for client_credentials grant type

michael.tong · June 21, 2019, 4:07pm

There doesn’t seem to be anything in place to prevent a brute force attack attempting to guess the client_secret for a client_id.
I send just over 100 token requests with the wrong client secret, but afterwards there didn’t appear to be any locking of the client_id as I could immediately log in with the correct secret.
Does this represent intended behaviour? Is client_secret entropy deemed sufficient to make these sort of attacks effectively impossible?

Thanks,

Mike

markd · June 22, 2019, 1:26pm

Hi @michael.tong,

I believe the only limitation is rate limiting. If you could lock a client out by brute forcing token requests, you could easily DDoS any / every client.

Topic		Replies	Views
Is there authentication lock when requesting a jwt token using client credentials Help auth0 , m2m	0	2327	February 16, 2022
Getting token via Resource Owner Password without client secret Help	8	7932	April 17, 2019
Brute Force - whitelist IP Help anomaly-detection , brute-force	2	4640	August 26, 2019
Client Credentials and vulnerabilities Help client-credentials-g	3	4787	March 2, 2018
Client Credentials Grants, Scopes Ignored Feedback	1	1966	June 10, 2022

Brute force for client_credentials grant type

Related Topics