/token endpoint (and token abuse)

nick.govind · January 20, 2021, 5:32am

Hello Community,

Rookie here…

I have a rather simple question that I cannot seem to find an answer to.

My questions is: Does Auth0 issue a new token every time the /token endpoint is a called by the same client requesting access to a different resource within a short period of time?

Consider the following scenario: We have Mule APIs that we want to expose to external clients. Clients can call one or more APIs. There is a likelihood some of these clients do not have robust session management implemented. This means that when it makes and API call, the access token issued during that call is discarded. Then, when the clients calls another (or even the same) API, it will be issued a new access token. This will lead to unnecessary token generation (token abuse).

Does Auth0 have any mechanism to avoid that? That is, if a client calls /token more than once in quick succession, does Auth0 generate new tokens, or does it recognizes calls from the same client and re-issue the same token (as long as, of course, is not expired).

Any thoughts would be much appreciated.

Cheers
Nick

john.gateley · January 20, 2021, 2:31pm

Hi @nick.govind

You can implement a wrapper service for the token call (I am assuming the 3rd parties are doing Client Credentials grant, right?). This wrapper would then be the place to cache the token.

Auth0 may implement something here, but I don’t think it is guaranteed and for the M2M calls you want to be sure.

John

nick.govind · January 24, 2021, 11:38pm

Hi John,

Thanks for your response.

Yes - 3rd parties will use Client Credentials grant. Are wrappers implemented as hooks within Auth0, or is it normally an application that sits between clients and Auth0. I’m not so sure about the latter because of the associated “double handling” of tokens and the introduction of another point of failure (but then, I’m not an architect or developer so may be off the mark here…).

Cheers
Nick

john.gateley · January 28, 2021, 3:35pm

hi @nick.govind

I meant “an application between your clients and Auth0” when I said “wrapper”. It is another point of failure, yes, but it provides a very important point of control.

John

system · March 8, 2021, 5:06am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.