As a system administrator, I want POST /auth/client-select to be rate limited by IP address, so that an attacker cannot enumerate valid usernames or abuse OIDC discovery at scale.
See app/controllers/oidc_login_controller.rb:25
expertiza#335 (comment)
As a system administrator, I want POST /auth/client-select to be rate limited by IP address, so that an attacker cannot enumerate valid usernames or abuse OIDC discovery at scale.
See app/controllers/oidc_login_controller.rb:25
expertiza#335 (comment)