Getting 429 error code on IntrospectOAuth2Token

[robogeek]

I have a service implemented in Node.js/TypeScript for which I'm working on integrating ORY-based OAuth2 for Client Credentials Flow. I have a problem where many tests are failing in calling ory.introspectOAuth2Token({ token: accessToken }); to assist in validating the token to determine whether that token is valid and/or allowed to perform the requested action.

Rather than use self-hosted Hydra, I'm using the ORY service.

The system is successfully generating OAuth2 tokens that are usually successfully introspected and are useful for authentication.

But, sometimes, an error result is returned to the introspectOAuth2Token call, with a 429 status. I was unable to find documentation on the 429 status code. For example the REST API documentation doesn't mention this code.

I'm suspecting there may be a rate limit for using the ORY service on the free tier?

UPDATE: Printing out the entire error object I see a table, STATUS_CODES, containing: "429":"Too Many Requests"

I think that answers the question.

[robogeek]

At the moment I'm hoping to surface a useful error message but do not see how to access more information. For example, when I dumped the whole error object there was a field statusText that contained a string saying something like too many requests but ...

This is the current code to generate the error message.

    try {
        const { data }
            = await ory.introspectOAuth2Token({ token: accessToken });
        
        return data;
    } catch (err: any) {
        let msg = `introspectOAuth2Token FAIL because (${err.code}) ${err.message} ${err.path} ${err.address} ${err.port} ${err.info} ${err.statusText} ${err.STATUS_CODES} `;
        if ('cause' in err) {
            msg += ` ORY cause: ${err.cause}`;
        }
        if ('field' in err) {
            msg += ` ORY field: ${err.field}`;
        }
        if ('name' in err) {
            msg += ` ORY name: ${err.name}`;
        }
        if (err.isAxiosError) {
            msg += ` isAxiosError ${err.code} ${err.cause}`;
        }
        logger.error(msg);
        // logger.error(YAML.dump({ err }, { indent: 4 }));
        throw new BadRequestError(msg);
    }

Which generates the following:

error: introspectOAuth2Token FAIL because (ERR_BAD_REQUEST) Request failed with status code 429 undefined undefined undefined undefined undefined undefined  ORY name: AxiosError isAxiosError ERR_BAD_REQUEST undefined

For example, ${err.statusText} ${err.STATUS_CODES} shows undefined undefined.

In the @ory/client package I see that the introspectOAuth2Token function throws RequiredError which I was unable to find the definition. But, in this case err is actually an AxiosError.

[robogeek]

To report further - I inserted caching into the system, meaning that the introspected token object is stored in the cache and that's used in place of requesting a fresh introspection. That stopped all 429 errors and the test suite I was running ran to completion.

Clearly I ran past a limit in the free tier plan.

But, it's also clear thinking of this that caching introspected data is a bad idea. What I'm planning to do for a real solution is self-hosting Hydra.

[aeneasr]

Hi @robogeek - rate limits are significantly higher for paid tiers - see here: https://www.ory.sh/docs/guides/rate-limits