Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disabling client side rate limiting in Okta login MFA client #15369

Merged
merged 2 commits into from
May 12, 2022

Conversation

chrishoffman
Copy link
Contributor

The behavior of the login MFA is currently limited due to the client side rate limiting happening in the SDK. This SDK is older and there may be a change in the API behavior that is not fully accounted for in this client.

@chrishoffman chrishoffman requested review from calvn and hghaf099 May 11, 2022 14:18
@chrishoffman chrishoffman added backport/1.10.x bug Used to indicate a potential bug labels May 11, 2022
@@ -0,0 +1,3 @@
```release-note:bug
mfa/okta: disable client side rate limiting causing delays in push notifications
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Should we just use "auth" here as the top level category for the change?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd think that auth/okta refers to the Okta auth method specifically.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Not sure how to categorize login mfa.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am good either way. I just mentioned that because we used auth as the category for login MFA before, and then message was more specifically talked about what has changed in Login MFA.

@@ -1825,6 +1825,8 @@ func (c *Core) validateOkta(ctx context.Context, mConfig *mfa.Config, username s
} else {
client = okta.NewClient(cleanhttp.DefaultClient(), oktaConfig.OrgName, oktaConfig.APIToken, oktaConfig.Production)
}
// Disable client side rate limiting
client.RateRemainingFloor = 0
Copy link
Contributor

@hghaf099 hghaf099 May 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to Okta docs, the minimum rate limit is 100 for the requests that are generated from us. So, I am wondering if setting the floor value to 0 would cause any issue (performance or security)? Since 100 limit is imposed from Okta, should we consider increasing the floor value from 0 to something like 30, or even 50? This way, we would still have enforced some limit on the number of requests, and mitigate the delay in push notifications.

Copy link
Contributor

@calvn calvn May 11, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way that I understand how RateRemainingFloor works (docs) is that it behaves more like a padding, with the default value of 30 if unset. This means that for an Okta (dev) account that has a limit of 100 req/min, once the server returns "30 request remaining", the client will stop making requests. So what we're trying to do here is to remove that padding on the client side. Fortunately non-dev accounts have much higher rate limits (600).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if 30 is the correct default though based on what I see in the code here.
Seems the default is 100

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, then that'd definitely do it! The client would never be able to poll for dev accounts past the first call. Thanks for cross-checking the docs against the actual default!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, the comment says 30 while the actual value is 100. Since we are moving aways from this lib, I'm fine with 30 or 50. But really I don't really see to much of a need for client side rate limiting, even though it exists in this lib.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another questions to think about is, will be enable client side rate limiting when migrating to the official SDK? It looks like the official SDK only has a WithRateLimitMaxBackOff but I would guess that is when you run up to the limit instead of a threshold when you limit client side requests.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see your point about the client side rate limit. I am good with setting the floor value to 0. Thanks for the context.
WithRateLimitMaxBackOff seems to be setting maxBackoff to 30. Not sure how does in work though. In general, I would vote for being consistent between releases. But, that might be hard to verify.

Copy link
Contributor

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, but if non-dev accounts have a much higher rate limit of 600 req/min, then they shouldn't have to worry this floor value at all, right? Does that mean that it should work for them even without this change?

@hghaf099
Copy link
Contributor

hghaf099 commented May 11, 2022

That is a good point, I believe non-dev users should be fine. Hmm, based on this, would we need this change?

@chrishoffman
Copy link
Contributor Author

@hghaf099 Considering that it is unusable right now for dev accounts, I think we still should make some change (whether disable completely or lower the threshold). Many individuals will be validating this behavior with dev accounts and we should provide them a similar experience as production use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Used to indicate a potential bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants