Sign in rate limit for OAuth apps (#44282)

Co-authored-by: Sophie <[email protected]>
ebfork · Oct 16, 2023 · 55b5876 · 55b5876
1 parent cf0f3d6
commit 55b5876
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/content/apps/oauth-apps/building-oauth-apps/rate-limits-for-oauth-apps.md b/content/apps/oauth-apps/building-oauth-apps/rate-limits-for-oauth-apps.md
@@ -47,7 +47,14 @@ When rate limits are enabled for your {% data variables.product.product_name %}
 
 {% data reusables.rest-api.always-check-your-limit %}
 
-{% ifversion ghes %}By default, {% data variables.product.prodname_oauth_apps %}{% else %}{% data variables.product.prodname_oauth_apps %}{% endif %} are limited to {% ifversion ghae %}15,000{% elsif fpt or ghec or ghes %}5,000{% endif %} requests per hour and per authenticated user. All requests from {% data variables.product.prodname_oauth_apps %} that are authorized by a user or a {% data variables.product.pat_generic %} owned by the user, and requests authenticated with any of the user's authentication credentials, share the same quota of {% ifversion ghae %}15,000{% elsif fpt or ghec or ghes %}5,000{% endif %} requests per hour for that user.
+{% data variables.product.prodname_oauth_apps %} can encounter rate limits during the following two actions:
+
+1. When signing in users.
+1. When making API calls.
+
+{% data variables.product.prodname_oauth_apps %} should always cache their tokens, and only rarely need to sign in a user. Repeatedly signing in a user can be a sign of a bug, most frequently seen as an infinite loop between the app and {% data variables.product.company_short %}. If an app signs the user in ten times within one hour, the next sign in within the same hour will require re-authorization of the application. This ensures the user is aware that the app is minting so many tokens, and provides a break in what may be an infinite loop otherwise. This ten _sign in_ rate limit is distinct from the ten _token_ limit also enforced for {% data variables.product.prodname_oauth_apps %}. For information about the ten token limit, see "[AUTOTITLE](/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#creating-multiple-tokens-for-oauth-apps)."
+
+{% ifversion ghes %}By default, {% data variables.product.prodname_oauth_apps %}{% else %}{% data variables.product.prodname_oauth_apps %}{% endif %} are also limited to {% ifversion ghae %}15,000{% elsif fpt or ghec or ghes %}5,000{% endif %} requests per hour and per authenticated user. All requests from {% data variables.product.prodname_oauth_apps %} that are authorized by a user or a {% data variables.product.pat_generic %} owned by the user, and requests authenticated with any of the user's authentication credentials, share the same quota of {% ifversion ghae %}15,000{% elsif fpt or ghec or ghes %}5,000{% endif %} requests per hour for that user.
 
 {% ifversion fpt or ghec %}
 

diff --git a/data/reusables/apps/oauth-token-limit.md b/data/reusables/apps/oauth-token-limit.md
@@ -1 +1 @@
-There is a limit of ten tokens that are issued per user/application/scope combination, with a maximum rate limit of ten tokens created per hour. If an application creates more than ten tokens for the same user and the same scopes, the oldest tokens with the same user/application/scope combination are revoked. However, hitting the hourly rate limit will not revoke your oldest token. After the hour has passed, you will be able to create a token again, and by doing so your oldest token will be revoked.
+There is a limit of ten tokens that are issued per user/application/scope combination, and a rate limit of ten tokens created per hour. If an application creates more than ten tokens for the same user and the same scopes, the oldest tokens with the same user/application/scope combination are revoked. However, hitting the hourly rate limit will not revoke your oldest token. Instead, it will trigger a re-authorization prompt within the browser, asking the user to double check the permissions they're granting your app. This prompt is intended to give a break to any potential infinite loop the app is stuck in, since there's little to no reason for an app to request ten tokens from the user within an hour.
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		There is a limit of ten tokens that are issued per user/application/scope combination, with a maximum rate limit of ten tokens created per hour. If an application creates more than ten tokens for the same user and the same scopes, the oldest tokens with the same user/application/scope combination are revoked. However, hitting the hourly rate limit will not revoke your oldest token. After the hour has passed, you will be able to create a token again, and by doing so your oldest token will be revoked.
		There is a limit of ten tokens that are issued per user/application/scope combination, and a rate limit of ten tokens created per hour. If an application creates more than ten tokens for the same user and the same scopes, the oldest tokens with the same user/application/scope combination are revoked. However, hitting the hourly rate limit will not revoke your oldest token. Instead, it will trigger a re-authorization prompt within the browser, asking the user to double check the permissions they're granting your app. This prompt is intended to give a break to any potential infinite loop the app is stuck in, since there's little to no reason for an app to request ten tokens from the user within an hour.