Eloqua OAuth 2.0 Authorization Flow Initiation Limit (Nov 2018)

Version 6

    Updated: This notice was updated on August 23rd with additional information in the What's changing section below. Changes are marked in red.

     

    Overview

     

    With the arrival of Eloqua release 18D (Nov 16 - 17, 2018), we are modifying the Eloqua OAuth 2.0 authorization flow initiation to only accept one initiation per minute for any given User of an App. All authorization flows and endpoints are impacted:

     

    What’s changing?

     

    Currently, there is no restriction on how frequent the OAuth authorization flow can be initiated or how often authorization tokens can be requested or refreshed. As of the 18D release there will be throttling so an App cannot initiate the authorize flow more than once per minute for any given User of an App.

     

    With 18D, if an authorization flow is initiated by the same User for the same App within one minute, this will impact the authorization flows detailed in our Authenticate Using OAuth 2.0 reference documentation as follows:

     

    Using Code Grant (Section: To authenticate using an authorization code grant)

    AND

    Using Implicit Grant (Section: To authenticate using an implicit grant)

     

    When this flow is initiated, the Eloqua user will reach the Accept screen:

     

    Upon clicking Accept, the Eloqua User will receive a Too Many Requests message:

     

    Using Password Credentials Grant (Section: To authenticate using a resource owner password credentials grant)

     

                Request (Using same example from docs):

     

    POSThttps: //login.eloqua.com/auth/oauth2/tokenAuthorization: BasicQ09NUEFOWVhcdXNlcjE6cGFzc3dvcmQxMjM=

    {

      "grant_type": "password",

      "scope": "full",

      "username": "testsite\\testuser",

      "password": "user123"

    }

     

                Response:

     

                          429 Too Many Requests

                          Retry-After: 60

    {

      "error": "too_many_requests",

                            "error_description": "This user has already authorized this app within the allowed time frame of 60 seconds."

    }

     

    Sending your Refresh Token to login.eloqua.com/auth/oauth2/token to obtain new tokens is not impacted by this change. For reference, this is Step 4 within the “To authenticate using an authorization code grant” flow within our Authenticate Using OAuth 2.0 reference documentation.

     

    Timeline

     

    With the arrival of Eloqua release 18D, an App cannot initiate the authorize flow more than once per minute for any given User of an App. Version 18D is anticipated to arrive between Nov 16 - 17, 2018. Check the Eloqua Release Center for specific dates and times.

     

    Next Steps

     

    If you are currently initiating the authorize flow more than once per minute for any given User of your App, this should be reduced to, at most, only once per minute.

     

    Regardless of the grant type, the Access Token returned is valid for 8 hours, and could be refreshed using the Refresh Token, without having to initiate the authorization flow. Utilizing the Access Token and refresh flow, the limit on initiating the authorization flow can be avoided.

     

    Additional Resources

     

    View changes for Eloqua's APIs including, new features, significant recent changes, and platform notices, on the Eloqua Developer Changelog.

     

    If you have questions, post a discussion on Code It!

     

    FAQ

     

    Q: What OAuth 2.0 authorization flows are impacted?

    A: All authorization flows are impacted:

    • Code Grant
    • Implicit Grant
    • Password Credentials Grant

     

    Q: Will this apply to sending your Refresh Token to login.eloqua.com/auth/oauth2/token to obtain new tokens?

    A: No, using your Refresh Token to obtain new tokens will not be impacted by this limit.

     

    Q: Is there a scenario that would cause hitting this limit?

    A: One scenario that would cause hitting this limit is obtaining a new Access Token by initiating the authorization flow for every request using the Password Credentials Grant flow. This type of implementation is not best practice for utilizing OAuth 2.0.

     

    Q: What are some best practices to avoid hitting this limit?

    A: Regardless of the grant type, the Access Token returned is valid for 8 hours, and could be refreshed using the Refresh Token, without having to initiate the authorization flow.