Authentication endpoints timeout causing rate limits to be hit

[mgoodfellow]

Hi,

This is a repeat of this issue:

#212

We received a spike in API timeouts for refresh token/obtain token endpoints. When this happens our systems will try to obtain another token. Unfortunately, these timeouts were all counted to our tiny rate limit of 30 calls to /oauth/token endpoint per hour, and has caused our entire site to go offline again.

Having this edge rate limit is far too low when there are disruptions to the API.

There is already a 24 hour limit of 50 tokens granted at a client ID level. This limit makes sense as it actually a token to be issued in other to count to the rate limit. This other rate limit seems to be imposed at the edge, and has no concept of business logic. It triggers even when no tokens are issued.

The levels are so low that we cannot even protect ourselves with circuit breakers as they cannot fire fast enough under load.

Please can this be reviewed.

Specific comment: #212 (comment)

[mgoodfellow]

@davidjohnson85 stop going through every issue in this repo and posting ChatGPT based responses. This is ridiculous.