Spring Security Preventing DoS attack in oAuth 2.0 with a valid access token

Expected Behavior

Placing a limit on the number of requests a user can make using a valid access token to resource server in OAuth 2.0

Current Behavior

I am considering the following attack scenario in OAuth 2.0 context (a slightly more complex attack scenario than mentioned on RFC-6819 OAuth 2.0 Threat Model and Security Considerations -Section 4.4.1.12. Threat: DoS Using Manufactured Authorization "codes"

With a valid access token, a user can make as many requests to a resource server as he/she wants and make the resource server unavailable to other users effectively causing DoS attack.

Solution

By placing a limit rate on the number of requests a user can make using an access token, attackers can not abuse a valid access token by overwhelming the resource server with a tremendous number of requests.

Context

I can use buck4j to limit the number of requests per IP address in a certain amount of time. However as per my understanding attackers in this way will still have provision to do DDoS attacks. Also I want to place the limit on the number of requests per valid access token not on IP address.

My Solution

I can build a custom filter that will keep track of the number of requests coming from an access token and add that register in my spring context. However, I am afraid it can be more difficult than expected.

Queries

I have found a built-in solution to the above-mentioned threat in Django REST framework. Does Spring security have any similar support?

Comment From: jzheaux

Thanks for all the detail, @islamazhar. No, Spring Security doesn't ship with support for rate limiting, though there is an open ticket for it if you are interested in contributing: #3802

Since I think that addresses your question, I'll close this, but feel free to add more detail if I've misunderstood.