How to enable rate-limit plugin on route "/oauth2/token"

I enabled rate-limit plugin on route “/oauth2/token” but it did not work. I tried limit-by by consumer.

@jeremyjpj0916 Did you face this issue before?

Sadly you cannot rate limit by a consumer on the /oauth2/token because the consumer is unknown :slight_smile: . I did have a hacky idea where I create a global Oauth2 endpoint and then I protect that with the JWT Auth Plugin on the Route or Service and force users to use a JWT token to get their Bearer Token so I could limit potential token Bearer token generators but my team preferred to leave it alone with no rate limit. But that may be an option you want to take if you want to limit how many tokens a user can generate in a second/day/week .

Sadly one of our early adapters started asking token for all request that’s why I was thinking to put rate-limit but it was not working as expected. I am also using /oauth2/token as global Oauth2 without using JWT token so the token is provided from oauth2 plugin itself.

Right, we see this too. Many consumers abuse OAUTH2 token generation and don’t cache properly. So you have the option of forcing these consumers to identify themselves with jwt or hmac on that global endpoint and ratelimit them or letting them still have full reign to do as they please.

We made this to help too:

It is a python script to clean expired tokens out of a cassandra DB as well as email alert on bad consumers so you can reach out to them and ask what the heck they are doing lol.

1 Like

Thanks for suggestion I will try this.

1 Like