does kratos do any exponential rate limiting to combat brute force attacks on users passwords?

Hello @some-bear-63847 No rate limiting is implemented on Kratos APIs out of the box - afaict its out of the projects scope and should be handled with a dedicated solution.

I am not sure I understand this. To be clear, By rate limiting I mean delaying before allowing a given IP address or username to submit a login attempt. This delay can be increased exponentially so as to create minimum problems for users who mistype their passwords, but maximum difficulty for attempts to brute force user accounts. This logic requires (By definition) the timestamp and username of the last failed login attempt. This is information that kratos has and it would be difficult for other external proxies to discover (without the risk of leaking valid credential info). I would have expected that Kratos would have been the perfect place to implement this feature - but perhaps I am missing an elegant alternative solution?

e.g. cloudflare allows custom ratelimit rules that can also use the request body with the great benefit that the counter is globally distributed, while kratos would have to somehow sync the counters between instances you could also use e.g. envoy when you run it yourself

Thanks, that is useful, and you are quite correct about the multiple instances of kratos - though I expected them to coordinate through a single instance of cockroach DB. Unfortunately we are running self hosted and oathkeeper is our proxy to the outside. However the systems we deploy are never connected to the public internet so the risk is also much lower. It will have to be a decision for our customers if they want to wrap oathkeeper in another proxy to do rate limiting.

we'd always recommend some kind of WAF

I’d recommend putting another proxy/WAF in front of your oathkeeper instance. As I understand it, oathkeeper should be as close to your app server as possible. I use haproxy as my external WAF/proxy. You can setup ratelimiting there very easily.

Yes exactly, I meant that we recommend a WAF in front of oathkeeper