There are some client APIs spamming our identity server 4 token endpoint (/connect/token). I was thinking to use the AspNetCoreRateLimit to limit the amount of allowed requests per IP. I have added a rule (both in General and IP rules) to limit requests to /connect/token.
The problem is that during testing with Postman, AspNetCoreRateLimit does not take /connect/token into account, thus it does not apply the rule. Postman was getting an access token with every new request even when it violated the rules.
What am I doing wrong? This is the right way to implement such functionality? Are there better ways to do it?
trick is to register app.UseIpRateLimiting(); BEFORE you register app.UseIdentityServer();.