Prevent M2M Token Hoarding

Hi - I’m currently in the process of building a public facing API using your M2M Authentication. It was brought to my attention that we are billed by the amount of M2M token requests. We will have many 3rd parties obtaining tokens from our API and need to prevent a 3rd party from hoarding tokens. As an example, I need to prevent a 3rd party using their M2M client Id and secret to obtain a new Token every minute (token expiration is set for 1 day) and instead force them to reuse their previously obtained non expired token during that 1 day time frame.

I’m thinking I would do this in an Action? Check if the 3rd party already has a valid token, if they do prevent them from obtaining a new one and force them to use their already valid token.

Do you have any documentation on how to complete this? I don’t want a 3rd party to cause extremely high billings from Auth0.

Hi @tvlahovic

You are on the right track. I wouldn’t call this hoarding though, just the opposite. Hoarding is what you want your clients to do.

There are a couple of approaches here:

  • You can just rely on your clients caching. If your 3rd party clients want to work with you, this usually works.
  • You may be able to do this with the hook/action, not sure about this though. If the token is generated before the action, this won’t help
  • You can implement your own endpoint, and the 3rd party calls that endpoint. That endpoint then either returns the valid existing token or calls the oauth/token endpoint to get and cache a new token. You don’t reveal the oauth/token endpoint to the client.

John

1 Like

I should note there are security issues with the third approach, not horrible, but should be considered.

John

Do you have documentation or and example for implementing this with a hook/action?

Hi @tvlahovic

Sorry, I do not.

John

Did you managed it? i was having the same issue and still finding the solution share some suggestions thanks in advance.