Brute force for client_credentials grant type

There doesn’t seem to be anything in place to prevent a brute force attack attempting to guess the client_secret for a client_id.
I send just over 100 token requests with the wrong client secret, but afterwards there didn’t appear to be any locking of the client_id as I could immediately log in with the correct secret.
Does this represent intended behaviour? Is client_secret entropy deemed sufficient to make these sort of attacks effectively impossible?



Hi @michael.tong,

I believe the only limitation is rate limiting. If you could lock a client out by brute forcing token requests, you could easily DDoS any / every client.