- About
- Core technologies
- Requirements
- Getting started
- Dashboard
- Configuration Overview
- General
- License
- Identity
- Rate limiting
- Cors
- LoginProvider
- Advanced configuration
- Theme builder
- Email template builder
- Health checks
- What's New
- Migration guides
- Changelog
Rate Limiting Configuration
Protect your IdentitySuite instance from abuse and excessive API usage with comprehensive rate limiting policies and monitoring
Rate Limiting Configuration
Rate limiting protects IdentitySuite from abuse and excessive API usage by controlling the number of requests clients can make within specific time windows. All rate limiting policies use SlidingWindowRateLimiterOptions to provide flexible and granular control over request throttling.
Rate Limiting Controls:
OIDC Critical Endpoints (High-Risk):
High-risk OIDC endpoints vulnerable to abuse through automated attacks and resource exhaustion. These endpoints handle authentication flows and token generation, making them prime targets for brute force and DoS attacks. Endpoints: /Connect/Authorize, /Connect/Token, /Connect/Verify.
SlidingWindowRateLimiterOptions Parameters:
OIDC Default Endpoints (Moderate-Risk):
Standard OIDC endpoints with moderate risk exposure. These endpoints handle user session management and profile information, requiring protection against automated scraping and session abuse attacks. Endpoints: /Connect/Logout, /Connect/UserInfo.
SlidingWindowRateLimiterOptions Parameters:
Global Endpoints (Baseline Protection):
General application endpoints requiring baseline protection against common automated threats. This policy provides default rate limiting for all endpoints not covered by specific OIDC policies, preventing generic DoS attacks and API abuse.
SlidingWindowRateLimiterOptions Parameters:
IP Address Management:
White Listed IPs:
- • IP addresses exempt from all rate limiting
- • Trusted sources and administrative access
- • Add IP addresses that should never be throttled
Black Listed IPs:
- • IP addresses completely blocked from access
- • Known malicious sources and threat actors
- • Automatically reject all requests from these IPs
Understanding SlidingWindowRateLimiterOptions:
Rate Limiting Metrics and Monitoring:
Real-time Metrics:
- • Rejection Rate: Percentage of requests being blocked
- • Unique Clients: Number of distinct IP addresses
- • Active Policies: Currently enforced rate limit policies
- • Suspicious Clients: IPs showing potential abuse patterns
Analytics Views:
- • Statistics Policy: Per-policy performance data
- • Popular Endpoints: Most frequently accessed endpoints
- • Client Requests: Top requesting IP addresses
- • Time Trends: Request patterns over time
Configuration Guidelines:
- • Test rate limiting policies in a development environment first
- • Monitor metrics regularly to adjust limits based on actual usage patterns
- • Consider legitimate high-traffic scenarios when setting limits
- • White-list trusted IP addresses to prevent accidental blocking
- • Application restart required for configuration changes to take effect