Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

use jwt in rate limiting

See original GitHub issue

hi how can I use jwt as client id fir client rate limiting? i thing i should "ClientIdHeader": "Authorization" in my appsetting.json

Issue Analytics

  • State:open
  • Created 5 years ago
  • Comments:5

github_iconTop GitHub Comments

12reactions
muxacommented, Feb 3, 2019

I have the same question. As a workaround i’ve used "ClientIdHeader": "Authorization", however the API can be configured to accept JWT tokens via query strings.

The problem is that the client rate limiting middleware is executed before MVC authorisation handles parse JWT token, and so httpContext.User is not set.

It would be nice to have an option for ClientRateLimitMiddleware to be executed after user context is set.

1reaction
Kantiscommented, Oct 3, 2019

I had a similar problem with wanting to use claims-based ratelimiting. My solution was to register the ratelimiting middleware after authentication. In Startup.cs#Configure:

			app.UseAuthentication();
			app.UseClientRateLimiting();

Then using a custom configuration and resolver:

public class ClientIdResolver : IClientResolveContributor
	{
		private readonly IHttpContextAccessor _httpContextAccessor;

		public ClientIdResolver(IHttpContextAccessor httpContextAccessor)
		{
			_httpContextAccessor = httpContextAccessor;
		}
		
		public string ResolveClient()
		{
			return _httpContextAccessor.HttpContext.User.GetPlayerId().ToString();
		}
	}

	{
		public CustomRateLimitConfiguration(IHttpContextAccessor httpContextAccessor,
											IOptions<IpRateLimitOptions> ipOptions,
											IOptions<ClientRateLimitOptions> clientOptions) : base(
			httpContextAccessor, ipOptions, clientOptions)
		{
		}
		
		protected override void RegisterResolvers()
		{
			ClientResolvers.Add(new ClientIdResolver(HttpContextAccessor));
		}
	}```

register the custom configuration using services in `Startup.cs#ConfigureServices`:
`services.AddSingleton<IRateLimitConfiguration, CustomRateLimitConfiguration>();`
Read more comments on GitHub >

github_iconTop Results From Across the Web

[Tutorial] Securing Rate Limit Actions with JSON Web ...
Rate limiting is a strategy implemented in API or Edge Gateways to protect backend services by preventing service outages from being overrun ...
Read more >
Rate limiting on token claims | Edge Stack
Ambassador Edge Stack is able to perform Rate Limiting based on JWT Token claims from either a JWT or OAuth2 Filter implementation.
Read more >
The Curious Problem of Rate Limiting an Unauthenticated ...
Endpoints were rate limited by an issued JWT but the endpoint that issues the JWT can't be rate limited. This might be fine...
Read more >
NGINX rate limitting by decoded values from JWT token
As you may know that rate limit is applied through unique ip address for best result you should use unique jwt value or...
Read more >
Rate limiting policy is not being applied dynamically using ...
I have created an api using JWT authentication type. actially I want to rate limit dynamically on the basis of JWT policy claims....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Is that possible to define a rule at runtime to consider all IPs for a specific Endpoint?

Next page

How do you create dynamic URL (parameter) rules?