Machine to Machine Authentication Rate Limiting

Hi,

We use auth0 to manage users for our Single Page App and we create machine to machine Applications for clients that want to directly use our API’s.

As machine to machine authentications are charged, I was wondering if there is a way to limit machine to machine authentications per applications ?

I didn’t find any pre-existing features. Could we do it via rules or hocks ?

Thanks

5 Likes

Hi,

The rate limits for our APIs are not configurable in tenant settings. You can find the Authentication rate limits here: Rate Limit Policy

What you can do to minimize the number of Client Credential requests made for M2M Tokens is to cache the tokens that you receive until they expire and then request for new ones. There is no built-in way to achieve caching M2M tokens like this in Auth0 at the moment.

You can also take a look at a related question and answer here.

1 Like

Hi,

I understand the global rate limits and I cache tokens in my applications.

The thing is, I provide M2M credentials to some of my clients (not API clients, actual real life clients), these clients use Auth0 to retrieve tokens that can be used against my APIs.

Today I don’t have a way to limit calls to the Auth0 Authorization API from these clients and no way to force them to cache their tokens.

Maybe what I am doing wrong is allowing my clients to directly get their tokens from Auth0 ?

[edit]
The API my customers are using is set behind a broker, this broker handle independent rate limits for each customer.
Could I put the Auth0 Authentication endpoint behind a broker ?

2 Likes

I would also like to know if it is possible to rate limit or put the token endpoint behind a broker, specifically Azure API Management. If anyone has done it with the AWS Gateway that would be useful to know as well.

The scenario is that I want to create credentials for each of my customers that want to use my API. Then they authenticate with Auth0 and use my API with the jwt token generated by Auth0. But if a customer doesn’t cache the token themselves, they will easily blow my quota of M2M tokens. I am looking to support 100s of customers eventually.

Thank you.

3 Likes

We also have this need. It’s easier for external clients to skip the (essential) caching part, so they often do it. This will cause us to issue way more tokens than necessary and will eat the quota of tokens that we pay for.

1 Like

I’m stumbling on to this as wall.
This pay per tokens model is pretty much unamangeable if your product has to have a secured API. Having to rely on clients doing caching is unrealistic.
Is there are way to workaround this? Any other worfklows perhaps that can achieve the same outcome? Is this a problem in Auth0 Enteprise as well?

We are in need of this feature as well. A poorly implemented client could easily deplete our quota.
It is bewildering to me why Auth0 doesn’t provide this basic functionality.

1 Like

In the same boat. A single client is causing us massive overages, accounting for 95% of our M2M token consumption. We ended up creating our own endpoint in AWS Lambda which calls Auth0 to obtain the token on their behalf, and re-mapping our endpoint in API Gateway to call this lambda instead of Auth0 directly. We are an Enterprise customer, so I’m discussing with our account manager. I’ll let you know if we come up with a better solution.

3 Likes

I’m going to add onto this thread just to try and get across how important a feature like this would be. We currently have a client that is consuming M2M auth calls far above what is necessary(not at a DDOS level, but too many). We’ve told them to cache their tokens but short of providing implementation support or cutting off their access, there’s only so much we can do right now. We’re looking into ways to rate limit calls that are coming in to Auth0, but I think that if you are going to enforce a quota on M2M auths then providing us with some basic tools to rate limit apps should really be table stakes.

1 Like

We have the same needs. The ability to limit/enforce a quota per client is significant feature to control consumption of the token pool by down stream integration clients of our application.

We also could not find REST API to obtain the quota utilization report data so we can build alerts/automation process.

We work around this by putting the endpoint behind our own rate-limiter

It would be much better if Auth0 would provide this out of the box

Either as mentioned by @dhoepelman, or if within Auth0 itself, then via Client Credentials Exchange hook.

I agree, this feature would be useful and I’ve already added it to our product backlog as a feature request. It’s been requested by others before, as we can also see from this forum thread alone.

3 Likes

Hi @mathiasconradt , thank you for your attention. We are using Client Credentials Exchange hook and i dig into other hooks but can not figure it out how we can use hooks for rate limiting or storing token until expiration. Would you be more specific, please?

This is an example for a Client Credentials Exchange Hook,

where it’s limiting the rate for 5 requests per minute (per client id), as an example.

1 Like