Problem statement
During some login attempts, the following error is generated:
invalid_request: You’ve exceeded the rate limit for /u/login/identifier. Please try again in a short while.
Symptoms
The following error is displayed to the user:
invalid_request: You’ve exceeded the rate limit for /u/login/identifier. Please try again in a short while.
Steps to Reproduce
This can be reproduced by making an ‘/authorize’ request. Once the Login prompt is shown (use the New Universal Login experience), reload the page over and over again until the error message is generated.
Cause
The rate limit exceeded for the authentication API. There are two possibilities:
- Global limit exceeded
- Limit per (tenant + session ID) exceeded
'/u/login/identifier'
and other prompts are affected by the authentication API global limit.
Rate limits are on the Universal Login Prompts to ensure stability and consistency across the platform. The values that apply to both production and development tenants are:
- RPM for GET: 20 burst, 10 per minute
- RPM for POST: 10 burst, 5 per minute
The above limits are per transaction, not global. We ensure we have a limit per screen the user sees, and by using the state handle, we assure limits from one transaction won’t mess with a new one (also, this will protect transactions from users coming from the same intranet since it will be different limits for every user), this allows us to have low limits that provide more protection.
Solution
These limits are not customizable. This limit does not affect other users in the tenant, so a single user cannot cause an outage. It will only prevent that user from making multiple calls to the same endpoint.
To understand the root cause of the rate limits, you may enable the “Risk Assessment” option in the Bot Detection feature. This will help to generate the Pre-login risk assessment logs with the log type “pla”. An extensive number of these logs for an IP will lead to rate-limited requests.