There doesn’t seem to be anything in place to prevent a brute force attack attempting to guess the client_secret for a client_id.
I send just over 100 token requests with the wrong client secret, but afterwards there didn’t appear to be any locking of the client_id as I could immediately log in with the correct secret.
Does this represent intended behaviour? Is client_secret entropy deemed sufficient to make these sort of attacks effectively impossible?
Thanks,
Mike