We are trying to verify API-level permission of each user through Auth0 Management API for security reasons. But we just realized there is rate limit for Management API per tenant: " For paid tenants, usage of the Management API is restricted to 15 requests per second (and bursts up to 50 requests)", from https://auth0.com/docs/policies/rate-limits.
Is the rate limit adjustable for enterprise? Or any other suggestions?
15 requests by second, seams supportable try to add some cache mechanism like for axios: https://www.npmjs.com/package/axios-cache-adapter
Thanks a lot for sharing that knowledge @matinfo!
Thanks @matinfo !
@konrad.sopala Other than caching, is it possible to increase the rate limit on case-by-case base in the future?
I you need more then 15 request second, add temporisation in you code
Or like mentioned in the doc, use your own database Identity.
The rate limit concern Management API. If you need more than 15 request sec, in this case you need to analyse your code logic / architecture if you not need to do some more complexe approach to store on your project side such informations.
Even for our enterprise clients, it is unlikely that you would be granted a rate limit increase. Typically we would work with you on finding a solution that does not require a rate limit increase (not that it hasn’t happened on a very rare occasion).
Is there a security issue with using the permissions in the token? This usually dictates how the api should handle the user. If your permissions are quickly changing, then you would want to set a shorter life to the token, rather than polling the management API.
@dan.woda We are multiple APIs and some APIs wants to use scopes for more granular access control. This could ends up with a fair amount of (>100) scopes/permissions for a single user. Top concern is security, for which we try to avoid reveal all these permissions to our end users; size of the token is another concern. Instead, we prefer an backend API service to query Auth0 Management API to get user permissions for this API when a request comes in.
I see. Using roles is out of the question?
@dan.woda My understanding is that role is only used to manage scopes. If we only pass the role information to backend, the backend still needs to query Management API to get all the permissions. In this case, the same rate limit will apply, is that right?
Let me reach out to some folks on this. I will report back.
Here is what one of our architects said:
The other option would be to encrypt and store the values in a custom claim. They likely shouldn’t be using scopes anyway, as that is how a user gives permission to an app, not an app gives permission to a user.
This blog may be useful:
I see, scope represents what permissions that a user delegates to an application. That means scope is usually a subset of a user’s entire permissions. Thanks!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.