Error Message "You've Exceeded the Rate Limit for /u/login/identifier"

Problem statement

During some login attempts, the following error is generated:

invalid_request: You’ve exceeded the rate limit for /u/login/identifier. Please try again in a short while.

333.jpeg

Symptoms

The following error is displayed to the user:

invalid_request: You’ve exceeded the rate limit for /u/login/identifier. Please try again in a short while.

Steps to Reproduce

This can be reproduced by making an ‘/authorize’ request. Once the Login prompt is shown (use the New Universal Login experience), reload the page over and over again until the error message is generated.

Cause

The rate limit exceeded for the authentication API. There are two possibilities:

  • Global limit exceeded
  • Limit per (tenant + session ID) exceeded

'/u/login/identifier' and other prompts are affected by the authentication API global limit.

Rate limits are on the Universal Login Prompts to ensure stability and consistency across the platform. The values that apply to both production and development tenants are:

  • RPM for GET: 20 burst, 10 per minute
  • RPM for POST: 10 burst, 5 per minute

The above limits are per transaction, not global. We ensure we have a limit per screen the user sees, and by using the state handle, we assure limits from one transaction won’t mess with a new one (also, this will protect transactions from users coming from the same intranet since it will be different limits for every user), this allows us to have low limits that provide more protection.

Solution

These limits are not customizable. This limit does not affect other users in the tenant, so a single user cannot cause an outage. It will only prevent that user from making multiple calls to the same endpoint.

To understand the root cause of the rate limits, you may enable the “Risk Assessment” option in the Bot Detection feature. This will help to generate the Pre-login risk assessment logs with the log type “pla”. An extensive number of these logs for an IP will lead to rate-limited requests.