Rate limit on /token request in WSO2 Micro Gateway 3.1.0

1. Create an API within the Micro Gateway based on the key manager /token endpoint(https://<Key-Manager-Host>/oauth2/token) and apply throttling.

  • Initialize a project (micro-gw init <Project-Name>).
  • Define throttling policy under resourcePolicies section in policies.yaml located in the initialized project folder.
- 10PerMin:
count: 10
unitTime: 1
timeUnit: min
  • Define the API in swagger.yaml file located in <Project-Directory>/api_definitions/ directory.
openapi: 3.0.0
title: TokenAPI
version: v1
description: For APIM and MGW testing
- url: https://test.com/
x-wso2-throttling-tier: 10PerMin
description: OK
- https://localhost:9443/oauth2/token
type: http
x-wso2-basePath: /tokenapi/v1
x-wso2-disable-security: true
- http
- https
  • Open the file tokenServices.mustache in ‘<WSO2-AM-MICRO-GW-TOOLKIT>/resources/templates/’ directory.
  • Remove the below part which is the service config for ‘/token’ endpoint in order to disable the ‘/token’ endpoint of the Micro Gateway.
@http:ServiceConfig {
auth: {
enabled: false
} {{#corsConfiguration.corsConfigurationEnabled}},
cors: {
allowOrigins: [{{#corsConfiguration.accessControlAllowOrigins}}"{{.}}"{{#unless @last}},{{/unless}}{{/corsConfiguration.accessControlAllowOrigins}}],
allowCredentials: {{corsConfiguration.accessControlAllowCredentials}},
allowHeaders: [{{#corsConfiguration.accessControlAllowHeaders}}"{{.}}"{{#unless @last}},{{/unless}}{{/corsConfiguration.accessControlAllowHeaders}}],
allowMethods: [{{#corsConfiguration.accessControlAllowMethods}}"{{.}}"{{#unless @last}},{{/unless}}{{/corsConfiguration.accessControlAllowMethods}}]
@gateway:Filters {
skipAll: true
  • Build the project (micro-gw build <Project-Name>).

2. Apply throttling directly to the Micro Gateway token endpoint.

  • Open tokenServices.mustache file located in ‘<WSO2-AM-MICRO-GW-TOOLKIT>/resources/templates/’.
  • Add the following notation below the ‘/token’ ServiceConfig.
@gateway:API {
apiVersion: "v1",
apiTier : "10PerMin" ,
authProviders: ["oauth2","jwt"],
security: {
"mutualSSL": "",
"applicationSecurityOptional": false
  • Remove the below configuration located below the ‘/token’ ServiceConfig.
@gateway:Filters {
skipAll: true
  • Change the tokenService service name to ‘token_v1’ as below. (This name is derived from @gateway:API configuration properties added earlier as <name>_<apiVersion>)
service token__v1 on tokenListenerEndpoint, apiSecureListener {
  • Add the following lines to the addTokenServicesFilterAnnotation() function which is located bottom of the file.
string[] token__v1_service = ["tokenResource"];
gateway:populateAnnotationMaps("token__v1", token__v1, token__v1_service);
  • Build the project (micro-gw build <Project-Name>).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store