Closed myssto closed 3 months ago
Closes #128
Each partition is identified by the Issuer field (we assign from User.Id or OAuthClient.Id) of our JWT access tokens.
Does your implementation handle the case where the user and client ids are the same?
That is a very valid question that I had made a reminder to check on, but never actually did lol. I have a fix in mind, Ill implement real quick
Make sure to update project status and close #128 after merging :)
Configs updated.
Introduce rate limits to the API
Uses a Fixed Window rate limit with a default of 30 requests per minute. The configuration uses a partitioned scheme, where each User / OAuthClient has their own limit, and all anonymous requests share a limit. Each partition is identified by the
Issuer
field (we assign fromUser.Id
orOAuthClient.Id
) of our JWT access tokens.The configuration supports encoding rate limit override values into the JWT access tokens. The overrides enable us to grant a modified token limit and refresh window on a per User / OAuthClient basis. The overrides are stored in the
users
andoauth_clients
tables as JSON representations of the newRateLimitOverrides
entity to therate_limit_overrides
column. To conserve space in the JWT, they are serialized by excluding null values.If you are interested in reading about how this is all configured, some good articles are here (1, 2, 3)