Problem statement
We received an alert trigger for api_limit on get /api/v2/users-by-email.
Cause
The account link extension was installed, and the generated rule was edited to not just run for first-time logins. The rule performs a user lookup on every login (except redirects and refresh token flows), with the aim of ensuring users had unique email addresses and not just first-time accounts were linked. (i.e. older accounts spanning multiple connections pre-extension implementation).
Combined with an issue on the application which sent multiple /authorize requests for a logged-in user, this led to the management api being spammed and rate limits kicking in, causing rules to fail.
Solution
The Management API endpoints should only be called when strictly necessary, especially when triggered by extensibility points such as Rules and Actions, as the rate limits for the Management API are much lower than that of the Authentication API. Monitoring rate limit response headers within the application/script calling the Management API is also recommended, so back-off and retry mechanisms can be implemented.
It is also not recommended to modify automatically generated rules for extensions like the account linking extension, instead if customization is required in this space, it would generally be better to use a server-side implementation in this scenario: