MAF-001: Lack of rate limiting on OAuth and OpenID endpoints #5085
Description
The OAuth client-credentials token endpoint and the optional OpenID Connect login endpoints are exposed without rate-limiting controls.
It was observed that the /oauth/token and /users/auth/openid_connect API endpoints did not implement any
form of rate limiting.
Impact:
• Attackers can brute-force OAuth client IDs/secrets or flood token-issuance attempts on /oauth/token without
per-IP or per-client throttling.
• When OIDC is enabled, unauthenticated requests to /users/auth/openid_connect and its callback can
be hammered without limits, bypassing the protections applied to native login and enabling credential-stuffing or
login-spam attacks from a single source.
Recommendation:
• Add per-IP throttles (e.g., Rack::Attack) for /oauth/token and the OpenID Connect entrypoint/callback to cap
token-issuance and OIDC login attempts.
• Log and alert on repeated failures or throttled requests.