Meaning of limit_sul Error

Problem statement

Suspicious IP throttling and Brute Force protection are disabled but user logins are still being rate limited/getting 429 errors.
The error being displayed on the tenant logs is “limit_sul”.

Steps to reproduce

Login with the same username more than 20 times/minute from the same IP address.

Cause

This error log which indicates too many logins with the same username is not actually a block on the user nor an attack protection feature (IP Throttling, Brute Force Protection, etc.), but rather a rate limit put in place to protect the Auth0 infrastructure against multiple-fast login attempts with the same credentials.

It’s documented here: Database Login Limits

“…there is a same user login rate limit: If one IP address makes 20 login attempts in one minute to the same user account, the rate limit comes into effect. After that, Auth0 allows the user 10 attempts per minute. Any combination of successful and failed login attempts count toward this limit.”

This rate-limiting feature that’s built into the platform is what produces the log type “limit_sul” that you are seeing (sul → single user login).

Under normal circumstances, this should not happen, and for public cloud tenants, this behavior cannot be changed.

Solution

Determine if it is necessary to have the same username to create a burst of login attempts, and ideally find a better approach that does not require this. There may be an architectural issue that needs to be fixed.