Claim-based rate limiting · ThreeMammals/Ocelot#1587

(8 评论) (0 反应) (0 负责人)C# (8,137 star) (1,617 fork)batch import

AuthenticationRate Limitingacceptedfeaturehelp wantedproposal

描述

New Feature

Extracting claims from the token and use as a Client ID in the rate limiting. Suggesting a new feature to implement the rate limiting based on the claims in the token.

Motivation for New Feature

Current rate limiting is based on the Client ID passed in the header from the request. There are chances that anyone can manipulate the request by updating headers and using APIs without any restriction.

So, instead of depending on the consumer to provide the Client ID in the header, we can use the claims from the token. Which is more secure and not modifiable. Considering this, a rate limit will be applicable for authenticated endpoints only.

Specifications

Version: 18.1.0
Platform: .NET 6

贡献者指南

技术栈: csharp
领域: securityauthenticationauthorizationperformanceapibackend
议题类型: feature
难度: 3
预计时间: 3-5 days
活动状态: stale
清晰度: clear
前置要求: Understanding of .NET middlewareFamiliarity with JWT claimsKnowledge of Ocelot's rate limitingC#
新手友好度: 50
研究方向: Begin by reviewing the existing rate limiting middleware in Ocelot (likely in the Ocelot source code under Middleware or RateLimit). Look for where ClientId is currently extracted from headers. Then explore the authentication middleware to see how token claims are made available. The goal is to optionally use a claim like sub or client id from the token for rate limiting. Check the issue comments for any maintainer guidance or linked PRs. Consider adding a configuration option to choose between header based and claim based Client ID. Ensure the implementation only affects authenticated endpoints.