In our AuthorizeAttribute.OnAuthorizationAsync (C#) override, we call /userinfo for every business API. This is to make sure we always rely on the token for user info. We were getting “Too many requests” exception and looking at Rate Limit Policy we are devastated by the limitations placed on /userinfo call. 5 requests per minute limitation? How are we supposed to get user details in our APIs? We dont want the SPA telling us who the user is (infact the SPA does not know who the user is because authorization is delegated to Auth0 using Universal Login flow). The SPA gets a token in its callbcak and uses the token to identity the user and the backend uses the token to extract user details. I looked at the limitation on management APIs and that also has a 2 per second limitation. Are we kidding? How can you run a high volume application with this kind of limitation? I would like to be wrong here.
It’s possible to include user information (custom claims - OpenID Connect Scopes) directly in an issued access token so this would allow your API to obtain additional user information without an additional network request. What are the reasons to exclude this approach?
The above would remove rate limits completely out of the equation so it’s definitely something to consider.
1 Like
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.