Abstract
Responsiveness is a key requirement for web-based enterprise software systems. To this end, throttling (or rate limiting) is often applied to block illegitimate traffic from outside-facing components and protect their computational resources. OAuth-based authorization servers are among the most popular components facing the web. Alas, the OAuth protocol introduces severe challenges to throttling. The OAuth protocol flow introduces indirections to client requests that make it hard to determine their source to apply rate limits. Moreover, fixed limits perform poorly in cases varying between high and low request loads. In this paper we propose solutions for both issues and provide an efficient solution for throttling in the context of OAuth. This includes integrated methods for a) cooperative throttling of authorization and resource servers as well as b) dynamic rate limiting as part of the throttling algorithm. We evaluate our approach based on a real-world use-case of enterprise CRM.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apache mod_evasive module. https://github.com/jzdziarski/mod_evasive. Accessed 15 June 2022
limitipconn2 readme. http://dominia.org/djao/limitipconn2-README. Accessed 15 June 2022
Rate limiting with nginx and nginx plus. https://www.nginx.com/blog/rate-limiting-nginx/. Accessed 15 June 2022
Abbott, M.L., Fisher, M.T.: The Art of Scalability: Scalable Web Architecture, Processes, and Organizations for the Modern Enterprise. Addison-Wesley (2015)
Hardt, D. (ed.): RFC6749 - The OAuth 2.0 Authorization Framework (2012)
Hardt, D., Jones, M.: RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage (2012)
El Kamel, A., Eltaief, H., Youssef, H.: On-the-fly (D)DoS attack mitigation in SDN using deep neural network-based rate limiting. Comput. Commun. 182, 153ā169 (2022)
Richer, J. (ed.): RFC7662 - OAuth 2.0 Token Introspection (2015)
Miller, R.B.: Response time in man-computer conversational transactions. In: Unknown (ed.) Proceedings of the December 9ā11, 1968, Fall Joint Computer Conference, Part I on - AFIPS 1968 (Fall, Part I), p. 267. ACM Press, New York (1968)
Sakimura, N., Bradley, J., et al.: OpenID connect core 1.0 (2014)
Parecki, A.: OAuth 2. 0 simplified (2017). Lulu.com
Patil, R.Y., Ragha, L.: A dynamic rate limiting mechanism for flooding based distributed denial of service attack. In: Fourth International Conference on Advances in Recent Technologies in Communication and Computing (ARTCom2012), pp. 135ā138. Institution of Engineering and Technology (2012)
Maenhaut, P.-J., Moens, H., Decat, M., et al.: Characterizing the performance of tenant data management in multi-tenant cloud authorization systems. In: 2014 IEEE Network Operations and Management Symposium (NOMS). IEEE (2014)
Raghavan, B., Vishwanath, K., et al.: Cloud control with distributed rate limiting. ACM SIGCOMM Comput. Commun. Rev. 37(4), 337ā348 (2007)
Richer, J., Sanso, A.: OAuth 2 in Action. Simon and Schuster (2017)
Roberto, S.D.O., da Silva, R.C., Santos, M.S., Albuquerque, D.W., Almeida, H.O., Santos, D.F.: An extensible and secure architecture based on microservices. In: 2022 IEEE International Conference on Consumer Electronics (ICCE). IEEE (2022)
SE, S.W.: SmartWe World SE \(|\) UnabhƤngige CRM Cloud-Plattform (2022). https://www.smartwe.de/. Accessed 15 June 2022
Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239ā260. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20550-2_13
Siriwardena, P.: Advanced API Security: OAuth 2.0 and Beyond. Apress (2019)
Radhakrishnan, S., Geng, Y., Jeyakumar, V., et al.: SENIC: scalable NIC for end-host rate limiting. In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014). USENIX Association, Seattle (2014)
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378ā390 (2012)
Lodderstedt, T., et al.: RFC6819 - OAuth 2.0 threat model and security considerations (2013)
Urdaneta, G., Pierre, G., Van Steen, M.: Wikipedia workload analysis for decentralized hosting. Comput. Netw. 53(11), 1830ā1845 (2009)
Welsh, M., Culler, D.: Adaptive overload control for busy internet servers. In: Proceedings of the 4th Conference on USENIX Symposium on Internet Technologies and Systems, USITS 2003, vol. 4, p. 4. USENIX Association, USA (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Schuller, P., Siedl, J., Getto, N., Schork, S.T., Zirpins, C. (2023). Optimized Throttling forĀ OAuth-Based Authorization Servers. In: Sales, T.P., Proper, H.A., Guizzardi, G., Montali, M., Maggi, F.M., Fonseca, C.M. (eds) Enterprise Design, Operations, and Computing. EDOC 2022 Workshops . EDOC 2022. Lecture Notes in Business Information Processing, vol 466. Springer, Cham. https://doi.org/10.1007/978-3-031-26886-1_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-26886-1_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-26885-4
Online ISBN: 978-3-031-26886-1
eBook Packages: Computer ScienceComputer Science (R0)